BLOG

Blog Post by Angela Fitzpatrick, ITRM Senior Manager at Meditology Services

---

AUDIENCE: This blog article is recommended for any organizations that are considering pursuing HITRUST certification, recertification, or alignment with HITRUST CSF security control requirements.

What is HITRUST?

HITRUST stands for the Health Information Trust Alliance. HITRUST is a non-profit organization that created and maintains the HITRUST Common Security Framework ("CSF") and HITRUST Assurance Program. HITRUST was developed specifically for the healthcare industry and provides a framework for organizations to comply with various regulations and standards based on the organization's size, types of systems deployed, and applicable regulatory requirements.

The HITRUST CSF Incorporates more than 40 security and privacy related regulations, standards, and frameworks providing comprehensive and prescriptive coverage. The HITRUST CSF incorporates existing controls and requirements developed from regulations including but not limited to HIPAA, HITECH, GDPR, and CCPA as well as security standards such as NIST, ISO, and PCI. Organizations assess their internal systems, policies, and procedures against these controls.

HITRUST CSF was designed to help organizations with sensitive healthcare data become more secure. The HITRUST Common Security Framework (CSF) safeguards electronic protected health information (ePHI) and helps organizations streamline their security and compliance requirements.

Through the adoption of a common set of security objectives and assessment processes, HITRUST also streamlines how healthcare organizations manage Business Associate compliance. Business Associates can assess once and report to their many constituents, while healthcare organizations and other external parties benefit from a more complete and effective assessment process that is validated by trusted third party assessor firms.

Meditology’s Managing Partner Cliff Baker served as the lead architect for HITRUST CSF, and Meditology has conducted hundreds of HITRUST assessments and certifications for healthcare entities over more than a decade. Meditology is a formal HITRUST assessor organization and is authorized to certify entities in the HITRUST CSF. Our perspective in this FAQ publication is informed by our extensive experience assessing and certifying entities with the HITRUST CSF.

What is the Relationship Between HIPAA and HITRUST?

The HITRUST CSF gives organizations a way to show evidence of compliance with HIPAA-mandated security controls. HITRUST takes the requirements of HIPAA and builds on them, incorporating them into a framework based on security and risk.

According to the HHS, "The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form... This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information."

HITRUST certification provides prescriptive and measurable criteria and objectives for applying "appropriate administrative, technical, and physical safeguards." HITRUST does not replace or substitute your HIPAA compliance program or “prove” that an entity is HIPAA compliant, but it is widely accepted as a best practice approach for healthcare entities to evaluate and manage risk in alignment with HIPAA requirements.

Why Get Certified?

Healthcare has become a prime target for malicious actors bent on profiting from the resale and reuse of patient information. Healthcare entities are scrambling to bolster security controls for their own organizations and third-party business partners as the sprawl of patient information continues to drive widespread data breach events.

Many healthcare Covered Entities and Business Associates servicing the industry are pursuing or evaluating enterprise security certifications like HITRUST to provide assurance of their security program and control effectiveness to the market.

Some business drivers for obtaining HITRUST certification include:

• Security certifications including HITRUST have become a contractual requirement for third parties looking to do business with many of the nation's leading healthcare organizations
• In the case of an OCR audit, HITRUST certification helps demonstrate compliance with HIPAA regulatory requirements and provides a high degree of assurance to auditors
• HITRUST certification compels the organization to adopt formal security policies, procedures, and controls and strengthen the overall security program, which reduces the likelihood and impact of breach events
• HITRUST certification can significantly reduce the time spent responding to detailed security questionnaires and audits, which can reduce sales cycles and cost
• HITRUST certification in many cases can create a competitive advantage for products and services looking to demonstrate capabilities for protecting sensitive healthcare information
• In the event of a security breach and subsequent regulatory investigation, HITRUST certification can demonstrate that the organization took reasonable and appropriate efforts to comply with HIPAA security requirements and may reduce the amount of Civil Monetary Penalties
• Public trust and brand reputation can be enhanced for entities that formalize their commitment to securing sensitive patient information via HITRUST certification

Healthcare organizations benefit from a consistent and efficient approach for reporting compliance with internal stakeholders, HIPAA, HITECH, state, and third-party Business Associates.

Who Needs a HITRUST Certification?

The most common organization types that pursue and obtain HITRUST certification include vendors and Business Associates servicing the healthcare industry, healthcare insurance and payors, and healthcare providers.

How Does My Organization Get HITRUST Certified?

In order to get HITRUST certified, it is necessary to have a HITRUST Validated Assessment performed by an authorized HITRUST Assessor and then submitted to HITRUST for their approval and official certification. Meditology Services is an authorized HITRUST Assessor organization.

What Does the HITRUST Certification Process Entail?

Meditology’s HITRUST certification consists of three primary phases including a gap and readiness assessment, remediation, and HITRUST certification audit.

The key to a successful HITRUST assessment is properly determining the certification scope. The larger the scope of a HITRUST assessment, the more complex and costly the assessment and certification becomes. Meditology’s assessment methodology works with your organization to determine the appropriate scope for your organization that will meet business requirements while minimizing cost and time to achieve certification.

Once the scope has been determined, the next step is to perform a HITRUST Readiness Assessment. The readiness assessment includes a formal audit of your organization’s policies, procedures, implementation, and measurement capabilities relative to the in-scope certification requirements.

The readiness assessment includes a combination of interviews, evidence collection and testing, and physical inspection of controls. Each control area is “scored” in accordance with HITRUST’s detailed scoring methodology and requirements.

Organizations typically have several control areas that require remediation that may range from the creation of policies and procures to security and IT control implementation updates for in-scope systems and applications. These areas are identified in the readiness assessment, prioritized, and move forward into the active remediation stage.

In certain cases, you may have controls that do not pass HITRUST’s requirements for certification. For those controls, you will need to develop a corrective action plan ("CAP") to gain certification. Meditology will help to identify the CAPs that are needed and help your organization remediate the gaps.

The final phase involves completing a HITRUST Validated Assessment. This is similar to the initial Readiness Assessment but becomes the official assessment submitted to HITRUST for certification. Your formal scores are submitted to the HITRUST Alliance for review, quality assurance, and issuance of your formal certification (i.e. Validated Assessment with Certification).

How Long Does It Typically Take to Get Certified?

As you might expect, there is a wide range of certification duration for organizations depending on their certification scope, regulatory factors, size and complexity, security control maturity, and several other factors.

That said, the typical duration for a HITRUST certification process ranges from approximately 9 months to 1 year. Very few, if any, organizations obtain certification earlier than 6 months into the process. Some organizations take more than a year from start to finish to obtain formal certification status.

What is the Difference Between Self-Assessments and Validated Assessments?

HITRUST offers two types of assessments:

• A HITRUST Self-Assessment is performed using resources in your organization. Note that you cannot obtain a HITRUST certification via a Self-Assessment.
• A HITRUST Validated Assessment is performed using an authorized HITRUST External Assessor Organization and is submitted to HITRUST to perform their final QA checks. If they approve, HITRUST will then issue a HITRUST Validated Report with Certification.

What Does HITRUST’s QA Review Entail?

HITRUST’s Quality Assurance (QA) review consists of the following activities:

• Automated Checks: The assessment’s scoring, commentary, and accompanying documentation is subjected to over four dozen automated quality checks designed to identify common assessment scoring and commentary errors and omissions.
• Core QA: A sample of randomly selected HITRUST CSF requirement statements are reviewed to confirm the sufficiency of the external assessor’s basis for agreement with the assessed entity’s scoring.
• Test of N/A’s: The documented rationale for deeming any HITRUST CSF requirement statements as “not applicable” (N/A) is reviewed for reasonableness, consistency, and appropriateness.
• Test of Measured and Managed Controls: All HITRUST CSF requirement statements where the measured and managed PRISMA control maturity levels were scored are reviewed to confirm the sufficiency of the external assessor’s basis for agreement with the assessed entity’s scoring.

What Could Cause an Assessment to Fail HITRUST’s QA Process?

While nothing is typical about a “failed QA” outcome, the root causes leading to this potential outcome can be grouped as follows:

• The assessed entity failed to implement the CSF to a degree warranting certification yet scored itself within HITRUST’s certification scoring threshold, and the external assessor failed to identify and/or push back on the assessed entity’s inaccurate control maturity scoring.
• The assessed entity failed to effectively demonstrate its implementation of the CSF to the external assessor, and the external assessor failed to identify and/or push back on the assessed entity’s unsubstantiated control maturity scoring.
• The assessed entity and the external assessor did not correctly leverage HITRUST’s Control Maturity Scoring Rubric when respectively determining and confirming the organization’s control maturity scoring.
• The external assessor failed to conduct and/or document the validated assessment in accordance with HITRUST’s assessment requirements.
• The external assessor failed to incorporate changes and updates to the HITRUST CSF Assurance Program into its assessment methodology.

Examples of issues which have led to validated assessments failing HITRUST’s QA include:

• The external assessor attempted to “test the spirit of the control” instead of testing the actual HITRUST CSF implementation requirements.
• The assessed entity represented (and the external assessor agreed) that the policy and procedure PRISMA levels were “Fully Compliant,” yet the organization’s documented policies and procedures did not sufficiently address the HITRUST CSF implementation specifications.
• The assessed entity represented (and the external assessor agreed) that the implemented controls were “Fully Compliant,” yet only policy and procedure documents were collected to substantiate control operation and implementation.
• Neither the assessed entity or the external assessor properly understood concepts related to measuring the ongoing operation of internal controls, leading to inflated scoring in both the measured and managed PRISMA control maturity levels.

Your selection of an experienced and well-qualified HITRUST Assessor organization is a critical success criterion for obtaining certification in alignment with your cost and timing expectations.

How Does HITRUST Determine that an Assessment has Failed the QA Process?

It is normal for the HITRUST Alliance’s Quality Assurance (QA) Analysts to raise questions about an assessment as they perform QA procedures. Typically, these questions are resolved through collaboration between the HITRUST QA Analyst, the external assessor’s engagement team, and the assessed entity. However, in some instances these questions cannot be satisfactorily resolved. In order to protect the quality and reliability of assurance reports and CSF Assurance Program, HITRUST will not issue a Validated HITRUST CSF Report if there are unresolved concerns about the rigor of the assessed entity’s HITRUST CSF implementation and/or the adequacy of the external assessor’s procedures.

Note: an assessment failing QA is very different from an assessment result reflective of low control maturity. The concept of an audit, assessment, or inspection failing a review typically means that a reviewer of the audit (e.g., a regulator, an internal reviewer, a peer reviewer) uncovered significant issues regarding the audit itself. These issues typically stem from either (a) the auditor’s failure to uncover issues in the audited environment, and/or (b) the auditor’s failure to adhere to applicable auditing standards in the performance or documentation of the audit. In the HITRUST context, a validated assessment failing HITRUST’s QA review means that HITRUST had enough significant concerns regarding the assessment itself to prevent issuance of a Validated HITRUST CSF Report (with or without certification).

Given how impactful this outcome is to all involved parties, multiple reviewers internal to HITRUST must concur with the “failed QA” outcome.

If the HITRUST Quality Assurance (QA) Analyst’s procedures yield questions which cannot be resolved through the QA Analyst’s collaboration with the external assessor, the assessment is escalated to the HITRUST VP of Assurance Services. The VP of Assurance Services reviews the QA Analyst’s work and may independently review additional requirement statements not previously reviewed by the QA Analyst. If the VP of Assurance Services agrees that the assessment failed HITRUST’s QA review, the submission is escalated to the Compliance Department. A Compliance team member reviews all QA work performed by the Assurance team, and often independently reviews even more requirement statements. If the Compliance team member agrees that the assessment failed HITRUST’s QA review, HITRUST’s unresolved questions and concerns are discussed over one or more meetings attended by the external assessor.

A “failed QA” outcome is only reached when (a) leadership of both the Assurance and Compliance departments conclude that this outcome is warranted, and (b) the external assessor is unable to resolve HITRUST’s questions and concerns. Because HITRUST’s QA focuses on a subset of the external assessor’s testing, unresolved concerns identified during QA are viewed as indicative of problems in the larger validated assessment.

What Happens if an Assessment Fails HITRUST’s QA Process?

When a validated assessment submission fails HITRUST’s QA review, no validated report is issued. HITRUST will instead issue a letter to the assessed entity describing the unresolved concerns leading to the “failed QA” outcome. The assessed entity must undergo a completely new validated assessment if they choose to proceed towards a Validated HITRUST CSF Report.

Dependent on the age of previously collected evidence (relative to the external assessor’s fieldwork dates of the repeated validated assessment), updated copies of audit evidence must be collected. If a Validated HITRUST CSF Report with Certification is issued as a result of the re-performed validated assessment effort, it will be dated as of the end-date of that re-performed validated assessment effort (and not the original / failed assessment).