Cristina’s Compliance Corner: HITRUST – Is It Worth The Hype? 

When HITRUST first hit the scene in 2007, it had always felt like a bit of a mystery to me. I asked myself questions like:

– What was this magical framework that came out of seemingly nowhere? 

– How did it penetrate a pretty traditional space and garner importance so quickly? 

– And how did it differ from HIPAA, if at all? 

These questions piqued my interest and encouraged me to learn more and, eventually, sit for the HITRUST CSF certification last year. Since then, I’ve seen even more traction in the marketplace as this certification continues to gain hype and credibility.

I know if I had so many questions before learning about HITRUST that many of you probably do too! So, I recently sat down with Jason Kor, Thoropass’s new Director of Healthcare, and discussed some frequently asked questions around HITRUST, what the certification process looks like, and whether it’s really  worth all the hype.. We blew past our 30-minute time limit and covered a lot of ground (plus, answered questions from the live audience!) You can watch the discussion below.

What even is HITRUST?

HITRUST stands for the Health Information Trust Alliance, and it’s proven to live up well to its title. The “HITRUST approach” was created for companies across all industries to demonstrate their commitment to compliance, risk management, and protecting and handling sensitive data. HITRUST is a voluntary third-party certification that anyone in any industry can achieve. However, it is typically a certification sought after by those operating in the healthcare industry.

While it isn’t limited solely to those who touch, process, or house PHI (protected health information), it does allow a company to show compliance with HIPAA regulations through a standardized and auditable framework, which is one of the most desirable attributes of HITRUST. Since HIPAA is a regulation and not an auditable framework, it can be difficult to provide clear evidence that your business meets all the requirements. 

HITRUST is a rigorous certification that aims for optimal levels of compliance. Read on to see how HITRUST differs and overlaps with other common frameworks.


HIPAA vs HITRUST_ Navigating the World of Healthcare Information Security
CONTINUED READING
Navigate the complexity of healthcare information security with ease

Read on to learn the difference between HIPAA and HITRUST and which path makes the most sense for your business.

Read more icon-arrow-long

HITRUST and HIPAA (and SOC2 and ISO27001)

One of the most commonly asked questions I’ve come across when discussing HITRUST is: What is the difference between HITRUST and HIPAA? 

As mentioned above, HIPAA is a federal law created by lawmakers (and thus, non-optional), whereas HITRUST is a framework designed by security professionals. There are many similarities and overlapping controls between HITRUST and HIPAA, especially around the controls of sensitive information. 

Both frameworks outline requirements for this sensitive information, but HITRUST can show proof of this through certification. Those who seek out HIPAA compliance may consider pursuing an auditable framework, such as SOC2 or ISO27001, to demonstrate compliance instead. 

However, HITRUST’s overlapping similarities are not just limited to HIPAA. There are significant similarities to other common frameworks such as SOC2 and ISO27001. 

Similarities to SOC2 similarities include:

  1. Protection of sensitive information. SOC2 and HITRUST aim to protect sensitive information. They both include controls representing various mechanisms of protection, including things like encryption and restricted access. 
  2. Technical and operational coverage. Both frameworks share a commonality: they include technical and operational controls. Auditors may test similarly, but the spirit of the controls is similar.

Whereas ISO27001 similarities include:

  1. Risk-based approach. ISO27001 emphasizes thinking about risk in a broader context like HITRUST does. This includes considering risk when evaluating every aspect of the organization, from personnel to technical operations.
  2. Certification Process. Like HITRUST, ISO27001 is a certification that lasts a set period of time. A company implements its controls and has them independently assessed for completeness and accuracy. Discrepancies will be noted. For ISO27001, discrepancies are called non-conformities, and for HITRUST, they are called a corrective action plan. There is an opportunity for remediation to wholly meet the spirit of the control. 

In obtaining HITRUST certification, one can rest assured that they are keeping up with their ongoing SOC2 and ISO27001 compliance (if applicable.) However, it is worth mentioning some key differences between them as well, including. 

  1. The scope of the assessments/certifications. The scope of the assessments, meaning what will be evaluated for compliance, differs between the frameworks. HITRUST includes a more comprehensive scope because it encompasses components of many different frameworks. 
  2. The audit process itself. The audit processes differ greatly between the three auditable certifications – SOC2, ISO27001, and HITRUST. For HITRUST, a third-party assessor certified by HITRUST will perform a comprehensive review of the organization’s processes and controls. Once complete, HITRUST will issue a report detailing the findings and issue a certification. 

Is HITRUST worth the hype?

It’s a loaded question and depends on your company’s goals and needs. Consider the following when deciding whether to invest time, resources, and money.

  1. Investor/Customer Requirement. Some investors or customers looking to do business with a company will have HITRUST certification as a hard requirement. This is because many view this as the “gold standard” and a wholly encompassing certification that covers all the bases (including SOC2, ISO27001, and PCI controls.) 
  2. Processing, storing, or touching PHI. HITRUST is the ultimate commitment to protecting sensitive data, including PHI. Companies with access to PHI are at a higher risk of data breaches, so implementing the controls necessary to protect this information significantly reduces the risk. 
  3. Report. Unlike HIPAA, HITRUST allows customers who are required to adhere to regulations to have a report representing their compliance. Being able to demonstrate your commitment to the protection of sensitive information builds trust with prospective customers and partners. 

However, many believe HITRUST is an unnecessary – and very expensive – certification. It may also be relevant to note that it’s a highly rigorous and time-intensive certification, so it’s important to be prepared with the time and human resources to dedicate to it. Additionally, given its newer profound presence in the space, there is also a lack of recognition from many. Thus, it appears to be most advantageous to those in the digital healthcare space or those who need to sell directly into the healthcare industry. 

Pursuing third-party certifications is a choice made at the individual company level. Companies may consider their industry, what their prospects are looking for, and general market requirement trends when deciding whether to pursue HITRUST compliance or not. 

Compliance as a trust mechanism

At the end of the day, obtaining a compliance certification will improve an organization. It builds trust with prospects and partners, protects data and company IP, and ultimately shows that you take security and privacy seriously. Each framework shows a commitment to the integrity and protection of sensitive information. 

Ready to get compliant?

If you want to comply with a framework like HITRUST, SOC 2, or ISO 27001, consider the experts at Thoropass to guide you through the process from beginning to end. With our thorough risk assessment, fast certifications, and automated workflow audits, Thoropass makes staying within compliance as straightforward as possible. Speak to a member of our team today to learn more.


Share this post with your network:

LinkedIn