HITRUST—What It Is and Why It Matters
What is HITRUST?
Founded in 2007, the Health Information Trust Alliance (HITRUST) evolved in response to the growing privacy and security challenges faced by the healthcare industry. Aligned with its mission to “champion programs that safeguard sensitive information and manage information risk for organizations,” HITRUST provides broad access to common risk and compliance management frameworks.
For example, the HITRUST CSF®, the cybersecurity framework, is a certifiable framework that provides a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Established in 2015, it is a widely recognized security framework focused on the healthcare industry in the U.S. To ensure an inclusive set of baseline security controls, the HITRUST CSF leveraged nationally and internationally acceptable standards including ISO, NIST, PCI and HIPAA. As a result, the framework has been used successfully to demonstrate HIPAA compliance.
HITRUST regularly updates the CSF to incorporate new standards and regulations to make sure the framework remains relevant and current. As new regulations and security risks are introduced, provider organizations and third parties that adhere to the CSF can be well prepared with optimal security based on quarterly updates and annual audit changes.
Why HITRUST Is Important to BA Risk Management
As healthcare organizations face increased risk of privacy and security breach, recognizing the significant role played by their Business Associates (BAs) is critical. Conducting due diligence is essential before the partnership begins, and is part of the provider’s ongoing risk analysis to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information (PHI). In recent years, many provider organizations have incorporated the HITRUST CSF as part of their third-party assurance process—requiring that BAs obtain CSF certification. This is largely due to the increased number of breaches involving third-party vendors.
Healthcare organizations that entrust PHI to a BA must ensure that sensitive information is properly safeguarded. Best practice is for providers to partner with compliant, secure BAs that offer compliance knowledge, guidance and value beyond the standard contracted services. Obtaining CFS certification demonstrates integrity and commitment to privacy and security practices aligned with stringent regulatory requirements and expectations of the healthcare industry.
With those priorities top of mind, MRO announced in May 2018 that its Release of Information platform ROI Online® had earned HITRUST CSF Certified status for information security. HITRUST incorporates a risk-based approach that includes federal and state regulations and standards to help organizations address challenges through a comprehensive framework of prescriptive and scalable security controls.
As healthcare’s most widely adopted security framework, HITRUST provides an industry standard for BA risk management and compliance. Covered entities can look to HITRUST certification for assurance that the foundation for implementing a framework with security controls required to safeguard PHI is already in place.
To learn more about the importance of HITRUST CSF and MRO’s journey to achieve certification, watch our video “MRO’s PHI Disclosure Management Platform ROI Online® Earns HITRUST CSF® Certification.”