The healthcare industry struggles to meet the compliance requirements within the Health Insurance Accessibility and Portability Act (HIPAA). HIPAA requires healthcare organizations and their business associates to secure protected health information (PHI) and electronic PHI (ePHI). The protections cover all the locations where a company creates, accesses, stores, or exchanges sensitive information.

HIPAA incorporates requirements from several industry standards and federal regulations. These include, but are not limited to COBIT, ISO, NIST, and PCI DSS. Thus, many companies find it difficult to comply with HIPAA because security controls are embedded in many other frameworks.

Using HITRUST CSF certification allows organizations to meet information protection requirements more easily. Starting with a self-assessment, the organizations review the PHI and ePHI they collect and the locations they store, access, transmit, or create it. Then, they engage in a risk management process that focuses on determining the risk levels and risk tolerances. After establishing security controls, they need to hire a CSF assessor, approved by HITRUST, to audit the controls and security program. If the CSF assessor approves the program, they can be HITRUST CSF certified.