HITRUST vs. HIPAA: What You Need to Know
Most cybersecurity regulations deal with the safe storage of financial data, or possible state secrets for a variety of nations. There’s even a company keeping an eye out for cybercriminals looking for healthcare data, even though HIPAA has been in place for decades. The Health Information Trust Alliance (HITRUST) is a privately held company located in the United States that, in collaboration with healthcare, technology and information security leaders, has established a Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data. The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards.
But why does HITRUST even have to exist if HIPAA was enacted to protect the same data back in 1996? To meet HIPAA compliance, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information security control to provide for the adequate protection of ePHI against all reasonably anticipated threats. In practice, organizations that want to demonstrate HIPAA compliance must generally show that they have addressed each standard and implementation specification in the Security Rule, including risk analysis.
To fully address the rule’s standards and specifications, organizations must design or select multiple information security controls to provide the level of prescription necessary for implementation in the system or within the organization. An organization must ask and answer specific questions of ambiguous standard and implementation specifications if they are to adequately address the threats for which these safeguards were designed.
The HITRUST CSF helps healthcare organizations address these questions by providing an extensive mapping of the CSF controls to the HIPAA Security Rule’s standards and implementation specifications, many of which are mapped to multiple controls. And the CSF controls themselves consist of multiple specific requirements contained in multiple levels. By implementing the HITRUST CSF control requirements that are applicable to an organization based on its specific organizational, system and regulatory risk factors, each and every standard and implementation specification in the Security Rule is addressed in a very complete and robust way.
You may think you’ve covered all your bases by adhering to HIPPA, but you’re wrong. Instead, join forces with 2W Tech to help protect your clients’ sensitive healthcare data. We have a Security Compliance Consulting Program that is designed to support our clients’ compliance obligations. Call us today to get started on your HITRUST journey.