Abstract image of a woman sitting on books and studying on a laptop

HITRUST Article

A
Alexis Kennedy, CPA, CISA

To be HIPAA compliant, organizations should get HITRUST certified. The Health Information Trust Alliance's Common Security Framework (HITRUST CSF) provides a comprehensive framework of security controls and allows organizations to get third-party validation of their controls through the certification process. The certification involves a self-assessment, validated assessment by an auditor, and can result in a validated report and certification if control thresholds are met. Organizations can achieve certification even with control gaps by developing corrective action plans. Certification lasts two years with interim assessments to ensure ongoing compliance.

1 of 4
Download to read offline
1
2
3
4
PLANTE MORAN 1 Want to be HIPAA compliant? GET HITRUST CERTIFIED By Alexis Kennedy | alexis.kennedy@plantemoran.com Did you know that it’s impossible to assert that your organization is “HIPAA compliant” due to the fact that there’s no formal certifying body to substantiate that claim? Enter the Health Information Trust Alliance’s Common Security Framework (HITRUST CSF), which provides an avenue for a third-party assessment to verify the controls in place to meet all of the CSF Certification requirements. In addition, organizations can market compliance with the HITRUST CSF, as each certification comes complete with a validated report and letter of certification. The CSF also provides an avenue to reduce audit costs, as it can easily be mapped to other compliance frameworks in order to help organizations audit once and report many times over. It’s impossible to assert that your organization is “HIPAA Certified”
WANT TO BE HIPAA COMPLIANT? GET HITRUST CERTIFIED2 Here are a few frequently asked questions about the CSF and the certification process. 1 2 3 What is the HITRUST CSF? What are the reporting options? The HITRUST CSF was developed to address the security, privacy, and regulatory challenges facing the healthcare industry. It provides a comprehensive framework of prescriptive security controls and was developed with ISO/IEC 27001 as a primary reference. Its primary goal is to give prescriptive guidance help organizations comply with HIPAA and HITECH. HITRUST offers a multitude of reporting options to help organizations achieve the correct level of assurance necessary for their operations. There are three options of reports that build upon each other: Self-assessment. Organizations complete an internal assessment that results in a report issued from HITRUST. Validated assessment. Once the internal assessment is complete, a certified HITRUST assessor validates and scores the response on site. The assessment is issued to the HITRUST Alliance for quality assurance, and then a validated report is issued. Validated assessment with certification. During the validated assessment, the HITRUST assessor will also be looking at the scoring achieved by the organization. If the score meets the threshold for certification, a validated report plus certification will be issued. Its primary goal is to give prescriptive guidance help organizations comply with HIPAA and HITECH.
PLANTE MORAN 3 How do I achieve certification? There are 66 controls required for certification dispersed among 19 different domains. An aggregate score of at least three must be achieved within each domain in order to become HITRUST certified. Can I achieve certification with control gaps? Yes. As long as organizations achieve an average score of three in each of the 19 domains, they can achieve certification. If control gaps are identified, however, a corrective action plan (CAP) will need to be developed and submitted. How long does my certification last? Certification lasts for 2 years reliant on an interim assessment being performed and submitted within 60 days of the one year anniversary on the initial report date. This assessment will encompass a sample of testing in each of the 19 domains as well as a review of any CAPs that were identified after the initial assessment. Organizations can pay an annual fee to have 24/7 access to document controls and improvements on an ongoing basis in the tool. What is a CSF subscription? The HITRUST Alliance offers the CSF to organizations on a subscription basis. This means organizations can pay an annual fee to have 24/7 access to document controls and improvements on an ongoing basis in the tool. However, a subscription is not necessary to become HITRUST certified. All of the assessments are available for purchase outside of a subscription. Without a subscription, however, organizations only have 90 days to complete their assessments and submit them to HITRUST for review, or they’ll be deleted.
WANT TO BE HIPAA COMPLIANT? GET HITRUST CERTIFIED4 A SOC 2 report mapped to the HITRUST CSF will ensure an organization is able to meet all of the reporting requests received. SOC 2 and HITRUST: Can we do both? Yes, a SOC 2 report mapped to the HITRUST CSF will ensure an organization is able to meet all of the reporting requests received. By mapping the HITRUST CSF to the SOC 2 report, organizations have a comprehensive and detailed control report to submit to their customers. In addition, while performing testing for the SOC and HITRUST CSF, we can gain efficiencies between the two reporting frameworks and assist in obtaining a validated report with certification from HITRUST. We can use the “audit once, report many” mentality to help organizations issue a HITRUST certified report from a registered HITRUST assessor as well as issue a SOC 2 report with and opinion from a registered AICPA CPA firm. plantemoran.com

More Related Content

PDF
UoF - HITRUST & Risk Analysis v1
Bryan Cline, Ph.D.
 
PDF
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
PPTX
HITRUST CSF in the Cloud
OnRamp
 
PDF
Hitrust csf-assurance-program-requirements-v1 3-final
ajcob123
 
PDF
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
PPTX
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 
DOCX
Common Security Framework Summary
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
PDF
HITRUST CSF Meaningful use risk assessment
Vinit Thakur
 
UoF - HITRUST & Risk Analysis v1
Bryan Cline, Ph.D.
 
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
HITRUST CSF in the Cloud
OnRamp
 
Hitrust csf-assurance-program-requirements-v1 3-final
ajcob123
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 
Common Security Framework Summary
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
HITRUST CSF Meaningful use risk assessment
Vinit Thakur
 

What's hot (19)

PDF
Get Ready Now for HITRUST 2017
Schellman & Company
 
PPT
It Audit Expectations High Detail
ecarrow
 
PDF
HealthCare Compliance - HIPAA & HITRUST
Kimberly Simon MBA
 
PPTX
HITRUST Certification
ControlCase
 
PDF
EHR meaningful use security risk assessment sample document
data brackets
 
PPT
PCI DSS Compliance and Security: Harmony or Discord?
Lumension
 
PPTX
Logging, monitoring and auditing
Piyush Jain
 
PPTX
Meaningful Use and Security Risk Analysis
Evan Francen
 
PDF
Ecfirstbiz
shailu devi
 
PPTX
Its time to rethink everything a governance risk compliance primer
EnclaveSecurity
 
PPTX
Integrated Compliance
Kimberly Simon MBA
 
PPTX
MindLeaf - HIPAA privacy and cybersecurity insurance
mindleaftechnologies
 
PDF
Hipaa Gap Assessment.Sanitized Report
tbeckwith
 
PPTX
HIPAA omnibus rule update
O'Connor Davies CPAs
 
PPTX
Risk Presentation
lneut03
 
PDF
How to Prepare for a PCI DSS Audit
SecurityMetrics
 
DOCX
Risk Assessment Famework
lneut03
 
PPSX
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
PDF
Cybersecurity Program Assessments
John Anderson
 
Get Ready Now for HITRUST 2017
Schellman & Company
 
It Audit Expectations High Detail
ecarrow
 
HealthCare Compliance - HIPAA & HITRUST
Kimberly Simon MBA
 
HITRUST Certification
ControlCase
 
EHR meaningful use security risk assessment sample document
data brackets
 
PCI DSS Compliance and Security: Harmony or Discord?
Lumension
 
Logging, monitoring and auditing
Piyush Jain
 
Meaningful Use and Security Risk Analysis
Evan Francen
 
Ecfirstbiz
shailu devi
 
Its time to rethink everything a governance risk compliance primer
EnclaveSecurity
 
Integrated Compliance
Kimberly Simon MBA
 
MindLeaf - HIPAA privacy and cybersecurity insurance
mindleaftechnologies
 
Hipaa Gap Assessment.Sanitized Report
tbeckwith
 
HIPAA omnibus rule update
O'Connor Davies CPAs
 
Risk Presentation
lneut03
 
How to Prepare for a PCI DSS Audit
SecurityMetrics
 
Risk Assessment Famework
lneut03
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
Cybersecurity Program Assessments
John Anderson
 
Ad

Similar to HITRUST Article (7)

PDF
Compliance 101 HITRUST Update.pdf
AmyPoblete3
 
DOCX
Annotated Bibliography for Health Information Trust Alliance (.docx
daniahendric
 
PDF
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
Health IT Conference – iHT2
 
PPTX
HITRUST Overview and AI Assessments Webinar.pptx
AmyPoblete3
 
PDF
HIPAA and HITRUST on AWS
LogicworksNY
 
PPTX
Certification and Accreditation for Health IT Systems
Maurice Dawson
 
PPTX
Confidentiality power point
Doug Miller
 
Compliance 101 HITRUST Update.pdf
AmyPoblete3
 
Annotated Bibliography for Health Information Trust Alliance (.docx
daniahendric
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
Health IT Conference – iHT2
 
HITRUST Overview and AI Assessments Webinar.pptx
AmyPoblete3
 
HIPAA and HITRUST on AWS
LogicworksNY
 
Certification and Accreditation for Health IT Systems
Maurice Dawson
 
Confidentiality power point
Doug Miller
 
Ad

HITRUST Article

  • 1. PLANTE MORAN 1 Want to be HIPAA compliant? GET HITRUST CERTIFIED By Alexis Kennedy | alexis.kennedy@plantemoran.com Did you know that it’s impossible to assert that your organization is “HIPAA compliant” due to the fact that there’s no formal certifying body to substantiate that claim? Enter the Health Information Trust Alliance’s Common Security Framework (HITRUST CSF), which provides an avenue for a third-party assessment to verify the controls in place to meet all of the CSF Certification requirements. In addition, organizations can market compliance with the HITRUST CSF, as each certification comes complete with a validated report and letter of certification. The CSF also provides an avenue to reduce audit costs, as it can easily be mapped to other compliance frameworks in order to help organizations audit once and report many times over. It’s impossible to assert that your organization is “HIPAA Certified”
  • 2. WANT TO BE HIPAA COMPLIANT? GET HITRUST CERTIFIED2 Here are a few frequently asked questions about the CSF and the certification process. 1 2 3 What is the HITRUST CSF? What are the reporting options? The HITRUST CSF was developed to address the security, privacy, and regulatory challenges facing the healthcare industry. It provides a comprehensive framework of prescriptive security controls and was developed with ISO/IEC 27001 as a primary reference. Its primary goal is to give prescriptive guidance help organizations comply with HIPAA and HITECH. HITRUST offers a multitude of reporting options to help organizations achieve the correct level of assurance necessary for their operations. There are three options of reports that build upon each other: Self-assessment. Organizations complete an internal assessment that results in a report issued from HITRUST. Validated assessment. Once the internal assessment is complete, a certified HITRUST assessor validates and scores the response on site. The assessment is issued to the HITRUST Alliance for quality assurance, and then a validated report is issued. Validated assessment with certification. During the validated assessment, the HITRUST assessor will also be looking at the scoring achieved by the organization. If the score meets the threshold for certification, a validated report plus certification will be issued. Its primary goal is to give prescriptive guidance help organizations comply with HIPAA and HITECH.
  • 3. PLANTE MORAN 3 How do I achieve certification? There are 66 controls required for certification dispersed among 19 different domains. An aggregate score of at least three must be achieved within each domain in order to become HITRUST certified. Can I achieve certification with control gaps? Yes. As long as organizations achieve an average score of three in each of the 19 domains, they can achieve certification. If control gaps are identified, however, a corrective action plan (CAP) will need to be developed and submitted. How long does my certification last? Certification lasts for 2 years reliant on an interim assessment being performed and submitted within 60 days of the one year anniversary on the initial report date. This assessment will encompass a sample of testing in each of the 19 domains as well as a review of any CAPs that were identified after the initial assessment. Organizations can pay an annual fee to have 24/7 access to document controls and improvements on an ongoing basis in the tool. What is a CSF subscription? The HITRUST Alliance offers the CSF to organizations on a subscription basis. This means organizations can pay an annual fee to have 24/7 access to document controls and improvements on an ongoing basis in the tool. However, a subscription is not necessary to become HITRUST certified. All of the assessments are available for purchase outside of a subscription. Without a subscription, however, organizations only have 90 days to complete their assessments and submit them to HITRUST for review, or they’ll be deleted.
  • 4. WANT TO BE HIPAA COMPLIANT? GET HITRUST CERTIFIED4 A SOC 2 report mapped to the HITRUST CSF will ensure an organization is able to meet all of the reporting requests received. SOC 2 and HITRUST: Can we do both? Yes, a SOC 2 report mapped to the HITRUST CSF will ensure an organization is able to meet all of the reporting requests received. By mapping the HITRUST CSF to the SOC 2 report, organizations have a comprehensive and detailed control report to submit to their customers. In addition, while performing testing for the SOC and HITRUST CSF, we can gain efficiencies between the two reporting frameworks and assist in obtaining a validated report with certification from HITRUST. We can use the “audit once, report many” mentality to help organizations issue a HITRUST certified report from a registered HITRUST assessor as well as issue a SOC 2 report with and opinion from a registered AICPA CPA firm. plantemoran.com