The US Healthcare and Medical Industry continues to increasingly rely on evolving technologies to store, manage and transmit data. As a result, compliance has become more complex to manage. There are dozens of data security requirements from federal, state and third party agencies that makes managing compliance a daunting task. Organizations are not only required to demonstrate compliance but ensure that they are trustworthy. Without a doubt, the industry needed a clear, efficient and secure system to manage data security compliance.
The holy grail of compliance is, of course, HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996, sets the standard for securing sensitive patient data. Any medical or health firm that deals with protected health information (PHI) is tasked with ensuring that all the necessary physical, network, and process security measures are in place and followed. This all sounds straightforward until providers take a closer look and attempt to come up with an actionable roadmap. What they find instead is vague and ambiguous language that often contains loopholes. Take, for example, HIPAA’s guidelines that allow providers to take into account the complexity, size and organizational capabilities in areas such as software, technical infrastructure, hardware, security costs and the possibility of potential risks when choosing the controls to implement. For any provider seeking specific and reliable direction, these guidelines are non-specific and following them is not a guarantee of data security. And, this example is just the tip of the iceberg.
Providers who try to implement HIPAA requirements are often confused as to the meaning of “reasonable and appropriate” protections, another example of equivocal language. The result has been providers implementing controls that have no reasonable justification or are insufficient. Risk assessments are inadequate or skipped entirely, a big risk when you take into consideration the massive fines issued by the Office for Civil Rights (OCR) over the last few years. The most recent fine was on May 10, 2017, when the OCR announced a $2.4 million civil monetary penalty against Memorial Hermann Health System, a Texas firm, for alleged violations of the HIPAA Privacy Rule. In 2016, there was a total of $22,855,300 in fines made to OCR in 2016 to resolve alleged HIPAA violations. Out of these, seven settlements were in excess of $1.5 million and the largest was $5.55 million against Advocate Health Care Network. In the latter case, the breach that triggered the OCR investigation was a theft of desktop computers, loss of a laptop and improper access of data at a business associate on three separate occasions. 3.9 million individuals were directly affected by the breach. Clearly, since the enactment of HIPAA, there has been a clear need for standardized and actionable guidance.
HITRUST Common Security Framework (CSF)
The Health Information Trust Alliance (HITRUST) was formed to deal with these problems. Hitrust is an organization comprised of leaders from a wide range of industries such as Healthcare, Security, and Information Technology. It was formed in 2006 to address the serious data security standards challenges outlined above and specifically to deal with the inconsistency of standards, inefficient controls, rising costs of compliance, and the increased data security risks.
Hitrust set about establishing a Common Security Framework (CSF) whose sole purpose is to provide healthcare companies and business associates a set of guidelines to measure their compliance across a broad range of global compliance standards, not just the HIPAA. Healthcare and IT professionals worked in concert to develop the CSF. The CSF is now a trusted benchmark that industry players use to measure and manage compliance and, offers proven protection for protected health information.
When you take into consideration that every healthcare organization has several compliance obligations, the benefits of the Hitrust CSF become evident. Companies now have a prescriptive set of controls which they use to manage compliance. The process is less complex, less risky and less costly, all the while, protecting patient data. With a single simplified compliance framework, the CSF:
- Incorporated HIPAA as well as other global standards such as ISO, PCI, NIST, COBIT and FTC Red Flag.
- Eliminated the risk of being found non-compliant on HIPAA. The only way an organization can be found non-compliant is by failing to follow CSF to the letter.
- Offered a clear, unambiguous and actionable road map to compliance.
- Provided a framework that evolved according to the individual company requirements as well as industry needs and the regulatory environment.
There are three different degrees of CSF Assurance which are basically assessment levels. These are:
- Self Assessment – this is simply a situation where an organization completes the CSF on its own. This is a useful internal tool for the organization. External parties are not involved and Hitrust issues a CSF Self Assessment Report.
- CSF Validated – This second level requires a third party CSF Assessor to confirm that the data gathered by the organization is accurate. The CSF Assessor is accredited by Hitrust To earn the CSF Validated Degree of Assurance, an onsite visit by a CSF Assessor is mandatory. Once the information is verified, Hitrust issues a Validated Report.
- CSF Certified – this is the third and highest assessment level. As with the CSF Validated Report, CSF Certification requires an onsite visit by a CSF Assessor. The major difference here is that Hitrust not only reviews the organization’s entries but the validation of the assessor as well. This final step takes anywhere from three to four months. Once a certification is awarded, it is valid for two years.
Hitrust Certification as an Intangible Asset
To date, no organization can claim they are “certified HIPAA compliant because there isn’t any formal process in place. But, Hitrust offers a reliable third party assessment that proves and the organization has met all industry requirements of the common security framework.
Hitrust certification also offers organizations a range of benefits. For example, time and money lost during audits become a thing of the past because the CSF provides a bird’s eye view of the control overlaps among several regulatory requirements. The company can show how their controls meet all the requirements. With a single assessment, a company can generate several reports that address the multiple frameworks and standards such as HIPAA, ISO, PCI, NIST, COBIT and FTC Red Flag.
But, without a doubt, one of the greatest advantages of Hitrust Certification relates to branding. Today’s consumers are a highly informed lot. They are aware of the need to protect their personal data. And, thanks to the mainstream media and social media, they are well informed of hacks and privacy breaches. Consumers are also increasingly cynical of advertising and will rarely take a company at its word on data protection. Most consumers rely on third party organizations as proof of a company’s standards on anything. It isn’t, therefore, surprising that one of the effects of Hitrust has been organizations rushing to become Hitrust Certified. Benchmarking against a recognized framework such as the CSF gives an organization credibility and prestige. Hitrust certified organizations can advertise their compliance and security and, have the proof the back it up.
So, while many organizations may feel that compliance is a just another necessary evil and an additional cost of doing business, investment in Hitrust Certification actually yields valuable opportunities and attracts customers. It is the ultimate intangible asset that a company can have.
Hitrust – A Foundation for Improved Healthcare
As far as compliance is concerned, health tech is complicated. The Hitrust program and certification simplifies everything by offering organizations a prescriptive set of controls developed by healthcare and IT professionals, taking into account best practices. The ultimate effect of the Hitrust program has been to allow healthcare organizations to spend less time agonizing over compliance and spend more time taking care of patients.
PatientCalls has been a leader in the medical answering service field for over 15 years providing answering services with top rated quality and expertise to those in need of optimizing their organizations’ time and communications. Call PatientCalls today and ask for more information regarding our 14-day risk free trial and custom flat rate monthly price plans.