Regulatory Update: HITRUST Simplifies Compliance with Newly Released HITECH Act
<< All Press Releases

Date: May 5, 2009

Enhancements to the Common Security Framework reduce time, resources and expense of HITECH Act compliance for healthcare organizations and their business partners

May 5, 2009

Frisco, TX – May 5, 2009 – The U.S. Department of Health and Human Services under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) issued its guidance concerning protection of personally identifiable health information for purposes of security breach notifications. This is the first in a series of announcements for which compliance may require the expenditure of significant time and expense by healthcare organizations. These organizations also have many concerns about the impact and implications of the announcements on how they govern the security of information exchanged with their business partners.

In response, the Health Information Trust Alliance (HITRUST) is proactively collaborating with industry on how to effectively and practically comply with these new announcements. HITRUST has reviewed the guidance and is integrating the new HITECH Act requirements into the Common Security Framework (CSF). By leveraging a single IT control framework that is aligned with the requirements of their business, healthcare organizations will save significant time and expense that would be spent in performing this analysis independently and in auditing business associates for the new requirements. The “HITECH Authoritative Source” will be available at no additional cost to subscribers of the HITRUST Central online community (, which includes the Common Security Framework.

“Leveraging the existing program and working group structure, HITRUST will do the ‘heavy lifting’ needed to figure out the implementation requirements of the HITECH Act and normalize them against the other standards and regulations already encompassed in the Common Security Framework – so individual healthcare organizations don’t have to,” said Daniel S. Nutkis, Chief Executive Officer, HITRUST.

“Organizations are adopting the Common Security Framework as a means of addressing information protection including HITECH and other regulatory requirements – where the regulations provide the what, the Common Security Framework provides the how,” said Cliff Baker, Chief Strategy Officer, HITRUST.

HITRUST also announced today the Business Partner Information Security Compliance Summit to be held in Nashville on May 19th 2009, more information is available at At the summit HITRUST is facilitating broad collaboration between healthcare organizations, law firms, vendors, data exchanges and auditing firms on new and innovative approaches for streamlining existing processes to ensure security compliance of their business partners. Attendees will leave with a roadmap for reducing exposure from security breaches in business partner organizations by leveraging an industry wide approach aimed at enhancing security while controlling compliance costs.

“We share similar security challenges across the health care industry. By leveraging our combined resources through a collaborative industry effort, such as HITRUST, we can save time and cost and while achieving a benchmark for the industry that is supported by the wide range of healthcare organizations,” said Paul Connelly, Vice President and Chief Information Security Officer, Hospital Corporation of America.

HITRUST will also launch at the summit the creation of a new working group focused on addressing the requirements of the HITECH Act. The group will develop guidance and tools that will simplify compliance and the adoption of consistent and effective security controls. Deliverables will include Common Security Framework toolsets such as standard templates for business associate agreements, breach response plans, business associate compliance policies and related security training, all of which will give organizations a much needed head-start on achieving compliance.

“Industry adoption of a common set of security requirements such as those identified within the HITRUST Common Security Framework can save my organization significant costs in meeting the security expectations of business partners and associates,” said Lee Imrey, Chief Information Security Officer, AIM Healthcare.

Work group members and summit attendees will also discuss the role of the HITRUST Certification program to help streamline compliance costs. The program was developed by leading audit and professional services firms to provide an effective solution for healthcare organizations to manage compliance and exposure to security breaches originating with business associates. The HITRUST Common Security Framework and Certification program is the only widely available program of its type that is used by organizations to manage security compliance for a wide range business partners, including healthcare organizations of all sizes, international companies and organizations from other industries.

“The trend of each organization having their own flavor or interpretation of requirements does not meet the need or expectation for security protections. The industry needs to standardize on an approach to rationalize our compliance spend and limit our exposure,” added Connelly.

Pricing and Availability

HITRUST will release the HITECH Authoritative Source on May 15, 2009, available through HITRUST Central ( Subscriptions to HITRUST Central start at $1,875 and include access to the Common Security Framework, HITECH Authoritative Source, HITECH Act discussion forums and breach response templates. HITRUST will continue to deliver updates in a timely fashion as further disclosure and guidance becomes available.

The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption and utilization of health information technologies and exchanges. This, in turn, is critical to realizing the related promise of quality improvement and cost containment in America’s healthcare system. HITRUST is collaborating with healthcare, business, technology, and information security leaders to establish a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the first common security framework, HITRUST is also driving adoption and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit


All product and company names herein may be trademarks of their respective owners.

Chat Now

This is where you can start a live chat with a member of our team