The non-profit, privately held company consisting of healthcare, technology, and information security leaders, Health Information Trust Alliance (HITRUST), created the HITRUST Common Security Framework (CSF) to ease the healthcare industry’s compliance burden.
The Health Insurance Portability and Availability Act (HIPAA) requires that healthcare organizations and their business associates establish security controls that protect sensitive information. Personal Health Information (PHI) and electronic PHI (ePHI) is defined as information about a person’s health that can be linked back to the individual.
HIPAA’s security requirements integrate several industry standards, frameworks, and regulatory requirements including but not limited to COBIT, ISO, NIST, and PCI DSS. To better manage HIPAA compliance requirements, many organizations choose to become HITRUST CSF certified.
The HITRUST CSF is a security framework that aggregates relevant information security controls from the standards and regulations incorporated into HIPAA. Thus, it creates a single framework that healthcare providers and their business associates can use to meet the technology requirements embedded in HIPAA.
The HITRUST CSF certification process starts with a self-assessment. During the self-assessment process, the organization will review all the locations where it creates, accesses, stores, and exchanges PHI. After completing this inventory, the organization must engage in the risk management process. Risk management requires both a risk assessment and risk analysis. In the risk assessment, the organization determines the threats that can impact ePHI. In the risk analysis, the organization determines the likelihood of the threat’s occurrence and the impact the threat can have. Once the organization finishes the risk assessment and risk analysis, it then moves on to determining whether it will accept, transfer, mitigate, or refuse the risk. If the company chooses to accept the risk, it establishes controls to protect the information.
HITRUST requires that any healthcare provider or business associate wishing to be HITRUST CSF certified engage an approved CSF assessor to do an audit. The CSF assessor reviews the risk management program and controls’ effectiveness, then submits a final report. If the CSF assessor finds that the organization meets the HITRUST CSF certification requirements, then the application is submitted to HITRUST for approval.