Often, there is a disconnect between what people think HITRUST for healthcare is and what it actually is. HITRUST is an acronym for the Health Information Trust (HITRUST) Alliance. The Alliance is an independent testing organization. HITRUST offers what is known as the “HITRUST CSF®,” a security framework that provides organizations with a comprehensive and flexible approach to HIPAA compliance and risk management.
Organizations that are HITRUST CSF certified address both security and compliance risks. While HITRUST can help organizations meet the security standards required by HIPAA, they are two separate things.
HITRUST for Healthcare and the CSF Framework
The purpose of HITRUST is to provide data protection standards for healthcare providers, business associates, and vendors to assist in safeguarding sensitive data and managing IT risk. The HITRUST alliance helps healthcare organizations address common issues in healthcare privacy and security through a common security framework (CSF).
HITRUST CSF maps standards and best practices based on multiple privacy and security regulations. The HITRUST CSF framework combines other frameworks and standards, such as HIPAA and NIST, creating a centralized key mapping tool.
The HITRUST CSF framework allows organizations to address both security and compliance risks. The framework also provides for tailoring security measures based on unique organizational factors such as type of organization, size, systems, and regulatory requirements.
HITRUST CSF is a framework that an organization can use to meet the legal requirements of HIPAA.
Since HITRUST was formed in 2007, 83% of health plans and 81% of health systems and hospitals, have adopted HITRUST standards. According to a HIMSS survey conducted in 2018, HITRUST CSF is the most widely adopted CSF in healthcare.
How Does HITRUST Help with HIPAA Compliance?
The HIPAA Security Rule requires healthcare organizations to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). While HIPAA states that you must safeguard ePHI, it doesn’t necessarily tell you how to do so.
HITRUST CSF provides healthcare organizations with actionable information they can use to meet HIPAA security standards.
Part of HITRUST for healthcare allows risk assessments to be conducted based on the CSF. The CSF then creates remediation reports that help organizations address regulatory requirements and other best practices.
According to research conducted by HITRUST, 97% of organizations that adopt the CSF rapidly improve their overall security posture while making it easier to maintain.
“Evidence suggests that the more mature an organization’s information protection program, specifically their information security controls which demonstrate proficiency of operation, management, and reporting, the more likely an organization will be to continue to operate those controls in a similar manner in the future,” the report authors wrote.
“Mature organizations are less likely to suffer a breach and, should a breach occur, the more likely these organizations will be able to contain it and minimize the impact,” they added. “This is because controls that have been implemented at a high level of maturity are simply less likely to fail than controls that are implemented poorly.”
HITRUST Healthcare and eFaxes
HITRUST has made its stance known regarding the use of paper faxes. Paper faxing poses a risk to HIPAA compliance because of the way traditional fax machines were designed. Fax machines generally store messages that have been sent or received, making it easy for unauthorized access to patient information to occur. Traditional faxes can also accidentally be sent to the wrong recipient, or information in a fax can be intercepted by an unauthorized party.
HITRUST recommends that healthcare organizations opt for an electronic fax service to maintain HIPAA compliance, as these services can be HITRUST CSF certified.
HITRUST certified fax services meet the security requirements of HIPAA, including:
- Transmission security
- Data encryption
- Access controls
- Audit controls
When using an eFax service, you must also ensure that the provider will sign a business associate agreement (BAA). Without a signed BAA, the fax service is not considered HIPAA compliant and cannot be used to transmit or receive patient information.