Founded in 2007, the Health Information Trust (HITRUST) Alliance is a vendor consortium that developed the Common Security Framework (CSF). The goal is to help the healthcare industry ensure compliance and consistency with HIPAA and other applicable security regulations (such as PCI DSS). The adoption of HITRUST CSF enables organizations to streamline their compliance efforts and remove redundancies.

HITRUST requirements cover 19 security domains:

• Information Protection 
• Endpoint Protection
• Portable Media Security
• Mobile Device Security
• Wireless Protection
• Configuration Management
• Vulnerability Management
• Network Protection
• Transmission Protection
• Password Management
• Access Control
• Audit Logging & Monitoring
• Education, Training & Awareness
• Third-Party Security
• Incident Management
• Business Continuity & Disaster Recovery
• Risk Management
• Physical & Environmental Security
• Data Protection and Privacy

Companies can demonstrate their compliance with the framework in three ways:

• HITRUST Self Assessment:
  In this case, the organization performs a self-assessment using the HITRUST MyCSF tool and obtains a self-assessment report.

• HITRUST CSF Validation
  This type of assertion is similar to self-assessment, however, the self-assessment is validated by an independent HITRUST assessor, who issues a validated assessment.

• HITRUST CSF Certification
  This approach offers the highest level of compliance assertion. The assessment is performed by a HITRUST assessor and certified by HITRUST Alliance.

Each HITRUST certification is issued for two years and requires interim assessments in the years between the certification assessments.

HITRUST is becoming a de-facto standard in the healthcare industry. It demonstrates adherence to HIPAA requirements by covered entities and business associates. The certification provides assurances to customers and consumers about the protection of their Protected Health Information (PHI) and other sensitive data and gives the company a competitive advantage.

Furthermore, many corporations require that their service providers and business associates maintain HITRUST certification, and document this requirement as a contractual obligation.

The typical HITRUST certification process consists of the following three phases:

Readiness Assessment

In this phase, the company is assessed to establish if necessary policies, processes, and controls have been implemented to meet the HITRUST requirements. The readiness assessment may be conducted by the company’s internal resources, a HITRUST assessor, or a consulting company.

Gaps Remediation

This phase involves addressing the gaps identified in the first phase. To avoid any potential conflict of interest, the HITRUST assessor performing the certification assessment cannot be involved in this phase. For this reason, this step is performed either by the company or by a consulting firm.

Certification Assessment

In this step, a selected HITRUST Assessor performs the assessment. After the assessment is completed, it is submitted to the HITRUST Alliance for Quality Assurance and Certification. If the assessment is accepted, a certification report is issued by the HITRUST Alliance. In some cases, a certification report can be issued even when the company has compliance gaps. In that case, the company will need to provide a Corrective Action Plan (CAP) that will be monitored by the Alliance.

Planet 9, a San Francisco Bay Area-based organization, employs seasoned professionals with years of experience working in the healthcare industry with health insurance plans, hospitals, and health technology companies. We have consulting experience and helped clients become and remain compliant. Our staff has former security Chief Information Security Officers and compliance managers who have personally been accountable for HITRUST certifications.

Depending on a client’s internal resources, expertise, and availability, Planet 9 can completely or partially assist the client with the following:

• Perform a readiness assessment
• Conduct gaps remediation 
• Represent the client during the certification process
• Establish and maintain a continuous compliance program