HIPAA, HITECH and HITRUST In Healthcare IT
By Gerry Miller, CEO, Cloudticity.
Anyone dealing with healthcare IT in the US will come across HIPAA and HITECH and HITRUST — and it’s easy to get them confused. They’re interrelated and they all concern health information and they all impact healthcare IT. But that certainly doesn’t mean they’re all the same.
Briefly, HIPAA is a law and compliance is mandatory. HITECH is another law that was subsequently folded into HIPAA. And HITRUST is a voluntary means to ensure compliance with laws such as HIPAA, including its HITECH provisions and any others that might come along. Here’s how it all breaks down:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered a lot of healthcare modernization issues, including provisions addressing insurance and taxes. But when we reference HIPAA in the IT world, we’re generally concerned with details in the Act’s Title II.
HIPAA Title II stipulates national standards for digital healthcare information management and movement. Its intent was to establish comprehensive guidance on the way personal health information (PHI) is maintained, exchanged, and protected from unauthorized exposure and theft in healthcare industries. Since the Act was signed into law at the dawn of the dot.com days, it has naturally required amendment over the years.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was part of the American Recovery and Reinvestment Act of 2009. HITECH allocated $28B to fund greater adoption of electronic health records (EHRs) through incentives, resulting in a massive digitization of health information. It also outlined additional sets of stipulations for digital standardization and added more privacy and security protections for healthcare data enforced by penalties for compliance failures.
HITECH was consolidated into HIPAA Title II in 2013 with the Final Omnibus Rule, which also expanded security and breach notification details and, notably, extended HIPAA-compliance requirements to business associate agreements. A business associate is any entity that “creates, receives, maintains, or transmits protected health information” for a HIPAA-covered entity. So pretty much anyone handling PHI has to comply with HIPAA — not just hospitals and insurance companies.
HITRUST (originally dubbed Health Information Trust Alliance) is a private company founded in 2007 that developed a comprehensive Common Security Framework (CSF) to manage risk and meet HIPAA and a growing list of other standard or regulatory compliance requirements such as ISO, NIST, PCI, and GDPR.
The HITRUST CSF has also been updated through the years — and version matters. CSF v9.4 has hundreds more controls than v9.3, for example. And CSF v10 (expected in early 2021) will include significant changes centered on ISO 27001.
At present, the HITRUST CSF has around 1,800 security controls (or specific information protection requirements) applied depending on an organization’s risk profile and the relevant regulatory requirements that need to be met. While not all of these controls are HIPAA-related, all HIPAA requirements can be met from amongst them.
The HITRUST Alliance offers a process certifying that companies or organizations meet a customized set of requirements from the HITRUST CSF for addressing security, privacy, and regulatory requirements — consolidating compliance activities for multiple regulations in their information security programs and unifying what would otherwise be separate tasks. HITRUST certification is voluntary, and it isn’t the only means to comply with HIPAA — but it helps a lot.
How it all works together
If you deal with PHI, even if you are just a subcontracting service provider, you have to comply with HIPAA (and all of its pertinent requirements, not just the HITECH bits). There is also no such thing as “HIPAA certification” to prove compliance.
But HITRUST certification establishes that a company or institution is HIPAA compliant? because the HIPAA requirements are embedded in the HITRUST CSF. And subsequent to the Final Omnibus Rule, the ongoing digital revolution, and the explosion of everything-as-a-service, an increasing number of hospitals, health institutions, and healthcare companies require their vendors to be HITRUST certified (so it might as well be mandatory).
Difficult, but valuable
Obtaining HITRUST certification is not trivial. The number of controls that must be met varies depending on organizational, data, and systems factors. Considering that some healthcare entities still rely on equipment and processes that date to the digital stone age, while others are using cloud-native infrastructure that didn’t even exist a few years ago — there’s obviously a wide range of factors involved and a lot of complexity.
HITRUST scoping processes determine the subset of requirements specific to a particular organization and system scope. A small vendor with a constrained scope may have 200 requirements to meet for certification, while a large enterprise with many complex systems could have more than 1,500.
A HITRUST certification candidate organization will have a designated organizational executive, usually the chief information security officer (CISO) or chief security officer (CSO), who serves as executive sponsor for the certification process. An external assessor selected from a list of HITRUST-approved auditors is engaged to evaluate how the organization meets or fails to meet the specified requirements, and the candidate organization addresses gaps and remediates control issues until it achieves validation from the external assessor. Upon validation, the external assessor submits assessment details to HITRUST’s assessment reviewer, who will be the ultimate decision maker on certification.
This can be a lengthy and laborious process. Candidate organizations should select external assessors carefully — domain expertise and auditing capabilities are musts. External assessors often provide implementation services in addition to validation. If you choose to employ one organization for both duties, make sure there’s separation of church and state between those services lest you wind up with conflict of interest in your validation documentation (one individual evaluating his own implemented security measures is not wise).
Once HITRUST certification is obtained, it’s valid for two years (with a truncated interim assessment required at the one-year mark). These brief certification windows and interim requirements ensure compliance and up-to-date information security best practices are continuous, which helps maintain the vaunted industry status of HITRUST certification.
The payoff for all this effort is that HITRUST-certified organizations automatically demonstrate compliance with HIPAA, HITECH, and many other regulatory requirements — as well as top-notch cybersecurity posture — which is an awfully important differentiator in the world of healthcare IT.