What Are HITRUST Requirements?

What does HITRUST mean?

Many people fail to realize that the Health Information Trust Alliance, known simply as HITRUST, is not a framework at all, but an organization comprised of healthcare industry leaders who regard information security as a fundamental component to data systems and exchanges. In collaboration with information security, business technology, and healthcare leaders, HITRUST developed the HITRUST Common Security Framework (CSF). The HITRUST CSF combines information from various standards, such as HIPAA, NIST, HITECH, and others, as a certified framework of controls mapped to these standards designed to help organizations achieve complete compliance.

**RELATED: ** *Get your complimentary copy of the condensed guide to the What, Why, and How of HITRUST; *HITRUST Explained for Everyone

How many HITRUST controls are there?

In contrast to HIPAA, the HITRUST CSF does not create broad buckets like Administrative and Security controls. The HITRUST CSF is divided into 19 different control domains:

1. Information Protection Program	11. Access Control
2. Endpoint Protection	12. Audit Logging & Monitoring
3. Portable Media Security	13. Education, Training and Awareness
4. Mobile Device Security	14. Third Party Assurance
5. Wireless Security	15. Incident Management
6. Configuration Management	16. Business Continuity & Disaster Recovery
7. Vulnerability Management	17. Risk Management
8. Network Protection	18. Physical & Environmental Security
9. Transmission Protection	19. Data Protection & Privacy
10. Password Management

In addition to the domains above, HITRUST also has 75 control objectives and 156 specific controls.

What are the HITRUST requirements?

For each of the 156 controls defined by HITRUST, three distinct implementation levels exist. Each implementation level builds on the one below - level 2 includes all of level 1 plus additional requirements, level 3 includes all of level 2 plus additional requirements. Therefore, level 3 has the most stringent set of requirements. Implementation levels in the CSF are determined for each organization based on their risk profile, accounting for aspects like the size of an organization and the number of stored health records. Most organizations have varied levels of implementation for their controls from level 1, 2, or 3.

What is HITRUST compliance?

HITRUST compliance means that an organization has implemented the appropriate requirements from the HITRUST CSF. HITRUST compliance doesn’t look the same for every organization. Because there are three levels of implementation, some organizations may have stricter requirements for certain controls, while other organizations can comply by implementing less-stringent requirements for the same controls.

To achieve HITRUST compliance, an organization must comply with the requirements set forth for the organization’s specific implementation level for each control across all HITRUST domains.

Who requires HITRUST certification?

Healthcare organizations and business associates that want to prove their compliance with HIPAA and other relevant regulations may conduct a Self-Assessment, or they may opt to become HITRUST CSF Validated or HITRUST CSF Certified. These three options are known as Degrees of Assurance, or levels of confidence that an organization meets all relevant HITRUST requirements.

A Self-Assessment is the simplest Degree of Assurance to achieve. Using the HITRUST myCSF tool, organizations answer a series of questions to obtain a customized HITRUST assessment designed to evaluate the organization’s unique environment against the relevant compliance criteria. Through the assessment, areas for improvement are identified, as well as areas in which the organization is already compliant with HITRUST requirements.

Organizations that want additional compliance assurance following a Self-Assessment can obtain validation from a third-party CSF Assessor. This Degree of Assurance is known as CSF Validated.

Certification is the highest Degree of Assurance, and it requires the most effort and time to achieve. To obtain HITRUST CSF Certification, organizations send their validated assessment to HITRUST for review and certification. A HITRUST CSF Certification is valid for two years.

HITRUST certification is increasingly important as more healthcare organizations, such as health insurance providers, are requiring their business associates to be CSF Verified or CSF Certified.

Why does HITRUST matter?

Well, as healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state and third-party security mandates has become a feat that can quickly consume an organization’s resources. If that isn’t enough, getting through all the twists, turns, and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner. With all considerations, isn’t it obvious that the industry needs a system that is clear, standard, and secure? Thankfully, that’s exactly what HITRUST has established in order to put the trust in data security.

Healthcare is complex and can seem overwhelming, but it doesn’t have to be. Whether you’re an industry professional or not, it is commonly felt that more time is spent understanding the healthcare conundrum versus solving it. That’s where Datica comes in. We have set out to investigate the underlying logic behind the astounding regulatory maze of this field and distill the information to those searching for it. Why spend your time mastering the problem when you could be discovering the innovative solutions?

HITRUST isn’t easy, and it shouldn’t be. The experience we’ve gained as a company and the extensive testing of our technology brings great value to our customers. For more information on HITRUST, visit the Datica Academy or Datica Blog. Additional questions? Contact one of our experts today.