The Health Information Trust Alliance
The Health Information Trust Alliance (HITRUST) has established a Common Security Framework (CSF) that can be used by all organizations that create, access, store, or exchange sensitive and/or regulated health related data.
The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards.
What are the benefits of HITRUST CERTIFICATION?
- Reduced time and resources dedicated for audits
- Meet customer requirements through compliance
- Better understanding of risks and growth opportunities of an organization
- Enhanced security systems for better credibility and brand reputation
- Simplified compliance process for better healthcare services
Who can get HITRUST CERTIFICATION?
HITRUST is a common framework built through collaboration with Healthcare, Information Security and Business Technology for any organization to create, access, store or exchange Protected Health Information (PHI) safely and securely.
What are the requirements of HITRUST CERTIFICATION?
The HITRUST CSF includes control objectives and control specifications based on multiple combined references like ISO 27001, ISO 27002, ISO 27799 (Health Informatics), NIST-800 series, HIPAA Omnibus, PCI and other standard references that are integrated and normalized into specific controls.
The HITRUST CSF recommends 14 security Control Categories comprised of Control Objectives and Control Specifications.
HITRUST recommends a comprehensive risk management approach that involves a 4-step process:
- Identify risks and define the protection requirements
- Specify controls
- Implement and manage controls
- Assess and report
Implementation of HITRUST is categorized into three levels based on risk factors:
- Organization factors
- System factors
- Regulatory factors
The three levels of HITRUST compliance requirements:
Level 1: The minimum-security requirements for any system to meet all HIPAA Security Rule Requirements to be compliant with Level 1 of HITRUST.
Level 2: All the functionality and controls of level 1 but with enhanced strength of functionality and controls. Level 2 is only required for an organization that has increased risk and complexity in their organization, system and regulatory factors as compared to Level 1.
Level 3: All the functionality and controls of level 2 but with enhanced/ additional strength of functionality and controls. Level 3 is only required for an organization that has increased risk and complexity in their organization, system and regulatory factors as compared to Level 2.