Tag: HITRUST Certification

HIPAA, HITECH and HITRUST In Healthcare IT

By Gerry Miller, CEO, Cloudticity.

Gerry Miller

Anyone dealing with healthcare IT in the US will come across HIPAA and HITECH and HITRUST — and it’s easy to get them confused. They’re interrelated and they all concern health information and they all impact healthcare IT. But that certainly doesn’t mean they’re all the same.

Briefly, HIPAA is a law and compliance is mandatory. HITECH is another law that was subsequently folded into HIPAA. And HITRUST is a voluntary means to ensure compliance with laws such as HIPAA, including its HITECH provisions and any others that might come along. Here’s how it all breaks down:

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered a lot of healthcare modernization issues, including provisions addressing insurance and taxes. But when we reference HIPAA in the IT world, we’re generally concerned with details in the Act’s Title II.

HIPAA Title II stipulates national standards for digital healthcare information management and movement. Its intent was to establish comprehensive guidance on the way personal health information (PHI) is maintained, exchanged, and protected from unauthorized exposure and theft in healthcare industries. Since the Act was signed into law at the dawn of the dot.com days, it has naturally required amendment over the years.

HITECH

The Health Information Technology for Economic and Clinical Health (HITECH) Act was part of the American Recovery and Reinvestment Act of 2009. HITECH allocated $28B to fund greater adoption of electronic health records (EHRs) through incentives, resulting in a massive digitization of health information. It also outlined additional sets of stipulations for digital standardization and added more privacy and security protections for healthcare data enforced by penalties for compliance failures.

HITECH was consolidated into HIPAA Title II in 2013 with the Final Omnibus Rule, which also expanded security and breach notification details and, notably, extended HIPAA-compliance requirements to business associate agreements. A business associate is any entity that “creates, receives, maintains, or transmits protected health information” for a HIPAA-covered entity. So pretty much anyone handling PHI has to comply with HIPAA — not just hospitals and insurance companies.

Continue Reading

HITRUST Certification: What Is It and Why Is It Important For Data Protection?

By Paul Banco, CEO and co-founder, etherFAX.  

Paul Banco

As a data protection standards and development certification organization, HITRUST helps organizations safeguard sensitive data and manage IT risk across all industries and throughout the third-party supply chain. Since it was founded in 2007, the HITRUST Common Security Framework (CSF) has become the gold standard for compliance framework in the healthcare industry as it addresses the requirements of existing standards and regulations including HIPAA, PCI, COBIT, NIST, ISO, FTC, and state laws.

To become HITRUST certified, an organization must first complete a HITRUST CSF Readiness assessment to determine if the current alignment of its security and privacy controls relates to the requirements defined in the HITRUST CSF. The organization can then select a certified HITRUST CSF Assessor Firm that will perform several risk assessments, audits, and quality assurance procedures over the course of two to four months.

The HITRUST CSF has 19 different domains including healthcare data protection and privacy, endpoint protection, mobile device security, incident management, and disaster recovery. An organization will be scored on these assessments and must meet a minimum compliance level to become HITRUST certified.

Research has shown 97 percent of organizations that pursue a HITRUST Certified Security Framework certification rapidly improve their information security posture to meet certification and, most importantly, maintain their security posture. Furthermore, with a mature information protection program in place, organizations are less likely to suffer a breach and are more likely to be able to contain and minimize the impact of a breach, should one occur.

Organizations that implement a robust information security continuous monitoring (ISCM) program such as HITRUST to continually assess the state of their information security controls not only achieve higher levels of maturity, but also make better and more timely decisions.

Continue Reading