Leveraging HITRUST to Demonstrate Adherence with OCR Recognized Security Practices Guidance

Key Insights and Requirements

HITRUST announces support for organizations seeking to demonstrate the use of Recognized Security Practices (RSPs) as defined in the 2021 HITECH ACT and in alignment with recent guidance from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) through the HITRUST CSF, Assurance Program, and Risk-based, Two-year (r2) Validated Assessment.

Regulated entities can use the HITRUST Assurance Program and HITRUST CSF framework’s inherent alignment with the NIST Cybersecurity Framework to catalog and showcase the enterprise presence of controls; document and collect evidence of active and consistent controls for the previous 12 months; and demonstrate and report full alignment of controls with the NIST Cybersecurity Framework as a category of RSP supported by the HITECH Act and OCR.

“A cybersecurity program that incorporates the principles outlined by the HITECH Amendment and the OCR guidance is not only prepared to take advantage of the mitigation incentives offered by the HITECH Act but, most importantly, shows robust and demonstrable maturity of their cybersecurity system,” said Robert Booker, Chief Strategy Officer, HITRUST. “This documented maturity of active and consistent security controls not only provides more confidence to all stakeholders in the healthcare industry, but also provides health entities the best opportunity to combat and respond to the continued threats they face.”

HITRUST offers multiple capabilities in support of cybersecurity maturity and obligations for healthcare-regulated entities:

• The HITRUST CSF is a validated NIST Informative Reference, with mappings to the NIST Cybersecurity Framework. HITRUST CSF can therefore serve as the foundation for documentation of Recognized Security Controls in alignment with the NIST Cybersecurity Framework.
• The HITRUST Risk-based, Two-year (r2) Validated Assessment provides evidence of security controls with collection and quality assurance where the assessment scope aligns with the enterprise expectations of the OCR guidance. It should be noted that Recognized Security Practices will require validation of the NIST Cybersecurity Framework in the HITRUST Risk-based, Two-year (r2) Report. Regulated entities that have been HITRUST certified for at least 12 months can use their HITRUST report and associated evidence to demonstrate that controls, practices, and sub-practices were in place for the previous 12 months.
• The HITRUST-issued NIST Cybersecurity Framework Report is issued alongside each HITRUST Risk-Based, 2-Year (r2) Report and provides a scorecard on how an organization’s controls help demonstrate the NIST Cybersecurity Framework outcomes.
• The HITRUST MyCSF Reporting and Compliance Pack for HIPAA supports documentation for an organization’s delivery of HIPAA Security Rule requirements for the regulated entity, where the r2 Report includes validation of the HIPAA Security Rule, and to align those efforts.

With the release of guidance for documentation of Recognized Security Practices, regulated entities in healthcare can now use HITRUST to both support existing obligations of the HIPAA Security Rule and to align those efforts with their documentation of Recognized Security Practices for those who wish to take advantage of the mitigation incentives offered by the HITECH Act.

HITRUST provides an integrated approach to these distinct requirements, and a high level of transparency, consistency, and integrity. This quality, and the inherent efficiency of a common system, will maximize the benefit of every healthcare dollar spent on information security, while yielding a more mature cybersecurity program.

In the next few weeks, HITRUST will distribute materials to help healthcare-regulated entities tailor and scope their assurance reports to help document their cybersecurity program’s Recognized Security Practices based on the NIST Cybersecurity Framework in support of the mitigation incentives offered by the 2021 HITECH Act.

Further, HITRUST CSF v11, due out in January 2023, will include Health Industry Cybersecurity Practices (HICP) as an authoritative source increasing the benefits and options for demonstrating adherence with OCR Recognized Security Practices guidance.

Existing HITRUST adopters are invited to contact their HITRUST representative for more information.

Additional related reference material: Healthcare & Public Health Sector information on how to understand and use the HITRUST CSF to facilitate an organization's implementation of the NIST Cybersecurity Framework can be found on the Cybersecurity & Infrastructure Security Agency’s (CISA) Cybersecurity Framework website.

To learn more about leveraging HITRUST to support HIPAA compliance, see the HITRUST website.