Four new frameworks from Thoropass: HIPAA, HITRUST, and ISO changes to streamline your compliance 

Thoropass now supports four new compliance frameworks to meet the growing demands of AI governance, data privacy, and health information protection. These frameworks— HIPAA CE Privacy Rule, HITRUST AI Cybersecurity Assessment, ISO 42001, and ISO 27018—are now available on our platform, empowering organizations to enhance their compliance posture and safeguard sensitive information more effectively.

HIPAA Covered Entities (CE) Privacy Rule: Enhanced Privacy for Healthcare

The HIPAA CE Privacy Rule expands on existing HIPAA regulations with over 80 requirements for organizations handling personal health information (PHI). It builds on the Security Rules that Thoropass already supports.

  • HIPAA Privacy Rule: Governs all forms of PHI—digital, paper, and verbal. It defines how organizations can use and disclose PHI while protecting patient rights.
  • HIPAA Security Rule: Focuses on safeguarding electronic protected health information (ePHI). It establishes standards for the confidentiality, integrity, and availability of electronic data.

Who needs HIPAA CE Privacy Rule?

The Privacy Rule applies to Covered Entities such as healthcare providers, health plans, and clearinghouses that handle PHI in any format—digital, paper, or verbal. If your organization is already HIPAA-compliant under the Security Rules, the Privacy Rule adds additional layers of requirements to address the privacy of PHI. 

HITRUST AI Cybersecurity Assessment: Security Standards for AI Use

HITRUST’s current control frameworks don’t specifically address AI threats. To fill this gap, HITRUST introduced AI Cybersecurity Assessment with prescriptive AI security controls. The assessment provides organizations with a reliable framework to secure their AI systems. Organizations must partner with a HITRUST-approved external assessor to achieve the HITRUST AI security certification.

Who needs HITRUST AI Cybersecurity Assessment?

AI service providers and organizations using AI, especially in healthcare, want to show robust governance and risk management for AI technologies. Organizations already HITRUST-certified can build on their current certifications by adding the AI assessment to ensure comprehensive coverage of both traditional and AI-specific risks.

ISO 42001: Ethical and Secure AI

ISO 42001 is the first international standard dedicated to guiding organizations in managing artificial intelligence (AI) systems responsibly. It sets clear requirements for building trustworthy AI Management Systems (AIMS) by focusing on key areas like risk management, AI system impact assessment, lifecycle management, and oversight of third-party suppliers. This standard helps companies implement, maintain, and improve AI systems ethically and transparently, ensuring they align with core principles such as safety, fairness, accountability, and transparency.

Who needs ISO 42001?

ISO 42001 applies to any organization using, developing, or deploying AI systems—even if AI is not their primary business. This includes industries like healthcare, finance, and manufacturing, as well as companies integrating AI into products like chatbots, recommendation engines, or decision-making tools. Regardless of industry, any organization handling AI systems can benefit from aligning with ISO 42001 to demonstrate responsible and secure AI practices.

ISO 27018: Protecting Personal Data in the Cloud

ISO 27018 is a global standard that focuses on protecting personally identifiable information (PII) in cloud environments. It builds on ISO 27001 by adding specific controls to ensure the privacy, security, and proper handling of customer data stored or processed in the cloud. These controls address issues like data access, encryption, processing transparency, and customer consent, ensuring that organizations meet high standards for protecting sensitive data.

  • ISO 27001: Focuses on managing overall information security risks, providing a broad framework for protecting all types of sensitive information. It does not address specific challenges related to cloud data privacy.
  • ISO 27018: Introduces controls specifically for cloud environments.

Who needs ISO 27018?

This standard is essential for companies handling customer data in cloud environments, including SaaS providers, financial services, healthcare organizations, and e-commerce businesses. Organizations seeking comprehensive cloud data privacy protection often implement ISO 27018 alongside ISO 27001 to build trust and meet regulatory or customer expectations for data handling.

How Thoropass Helps

Thoropass offers an all-in-one solution that simplifies and accelerates compliance for these new frameworks by automating the time-consuming manual process of setting them up and maintaining compliance. With Thoropass, you have:

  • One audit, multiple frameworks: Eliminate duplicate work by managing tasks and evidence once across multiple frameworks.
  • End-to-end automation: Streamline every step of compliance, from evidence collection to policy implementation and real-time risk tracking. 
  • Centralized risk management: Track and manage AI and other security risks, all within a single, unified platform.
  • Expert-guided journey: Benefit from tailored guidance for each framework, from project scoping and platform setup to best practices recommendations— no confusion and no gaps.
  • Stay compliant: Continuously monitor your controls, quickly identify problems, and automatically trigger an alert for remediation.

Start leveraging Thoropass to make complex standards simple and keep your organization ahead in compliance. Talk to our experts today.


Share this post with your network:

LinkedIn