It is not uncommon in the healthcare industry for an organization to insist they need a HIPAA certification, as is the case for Payment Card Industry (PCI) or SSAE 18. It may seem that this is necessary to be considered HIPAA compliant, and causes confusion within the industry. In fact, there is no “HIPAA certification” as such, and organizations are charged with finding their own method of compliance for the HIPAA requirements.
In an effort to clarify this uncertainty, we will explain HIPAA as a standard, and introduce Healthcare Information Trust Alliance (HITRUST) – a certifiable common security framework your organization can utilize as a guide to compliance.
What is HIPAA?
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requested the Secretary of Health and Human Services (HHS) to publish national standards for the security of electronic Protected Health Information (ePHI). The final regulation, the Security Rule, was published in 2013. This HIPAA Security Rule now applies to all healthcare providers, plans, and clearinghouses (known as “Covered Entities”), and requires Covered Entities to maintain “reasonable” and “appropriate” administrative, technical, and physical safeguards for protecting ePHI.
The ambiguity of terms like “reasonable” and “appropriate” lead to uncertainty, confusion, and frustration, as it does not specify whether any specific activity or process satisfies safeguard requirements. This can cause major control gaps due to misinterpretation of the rule. While the HIPAA Security Rule is considered the apex of healthcare security, its descriptive definition provides limited guidance to covered entities. Some organizations have turned to other frameworks, like NIST, as a guide to meeting the HIPAA standard. The National Institute of Standards and Technology (NIST) framework does go further in outlining specific activities and tools that can help satisfy HIPAA regulations, but still does not go far enough for many organizations.
While HIPAA is the act that details standards for compliance, HITRUST is an organization that assists covered entities in achieving compliance to those standards. Founded in 2007, the HITRUST Alliance was created through collaboration with public and private healthcare technology, privacy, and information security leaders. A Common Security Framework (CSF) was created, “born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.”
The HITRUST CSF is a certifiable framework that not only covers HIPAA but also complements other frameworks and standards a Healthcare organization might need to comply with, such as PCI, ISO, and NIST. The CSF maps these standards while centralizing and overlaying common controls. In short, HITRUST took a non-prescriptive and non-certifiable regulation, and created a standardized compliance framework, assessment, and certification process specific to the healthcare sector. Additionally, HITRUST takes into consideration the size, type, and risks of each specific organization based on regulatory, systems, and organizational factors, to determine a customized set of controls that suit your business.
Why This Matters
Relying on rapidly evolving technologies to store and transmit ePHI changes a healthcare organization’s scope of compliance. As a result, obtaining and maintaining compliance has become increasingly complex and difficult. Managing security and privacy requirements from regulatory bodies and other third party frameworks can be overwhelming and consume a significant amount of resources. Considering the majority of healthcare organizations have more than just one compliance obligation, HITRUST can simplify and streamline the road to compliance, environment maturity, and above all, an organization’s security.
It is also important to understand the movement of the industry as a whole to a unified framework. HITRUST, with its prescriptive and comprehensive structure, are working to become the universal framework that healthcare organizations use to satisfy their requirements. This would benefit the entire industry, ensuring all Covered Entities and the Business Associates they work with utilize the same framework to meet the HIPAA guidelines.
HIPAA certification is not possible, but its standards must be addressed. Utilizing the HITRUST framework, your organization can remove the ambiguity of the HIPAA standard, meet its requirements, and successfully secure your ePHI.