HITRUST Inheritance

HITRUST is now one the most widely adopted security frameworks used in today’s healthcare industry. Why you may ask? Because unlike some of its counterparts, HITRUST comes with a formal certification and an extremely stringent process on the backend to achieve it.

According to the HITRUST Alliance, 81 percent of hospitals and 80 percent of health plans have adopted HITRUST in some way. I anticipate this number will only grow.

Before the establishment of HITRUST back in 2007, there had been countless misconceptions surrounding all of the varying compliance standards and regulations floating around. With confusion at an all-time high, many organizations were seeking a single assessment that would check all the boxes and streamline their audit process.

However, as the numbers of patients in our healthcare systems increase, the HITRUST certification process is also becoming more complex. It takes a substantial amount of dedicated resources (both time and money) to achieve and maintain the annual standard. It can be a lot for an organization to take on internally.

Queue HITRUST Inheritance. I’ll be diving into the ins and outs of this program and what it could mean for your organization in this post. But first, let’s have a quick refresher on HITRUST.

What is HITRUST?

With the healthcare industry seeing thousands of patients daily, they are held to the highest level of compliance when it comes to protecting personal health information. In its simplest definition, HITRUST was established to help mitigate the risks associated with a data breach of any of that private data.

With HITRUST, comes with the Common Security Framework (CSF) that allows for the consistent implementation of HIPAA requirements. More specifically, HITRUST CSF provides a proven outline to follow or organizations who create, assess, store, or exchange PHI and financial information.

A little hesitant about jumping into a HITRUST assessment on your own? There is a program that can make the process a little easier for you. Sound like I have my head in the clouds? That’s because the solution begins there – with your cloud hosting provider. 

HITRUST Inheritance

According to the HITRUST website, HITRUST Inheritance streamlines the assessment process by saving organizations time and money that would have otherwise been spent on duplicating testing, as well as, granting access to test results that may have otherwise been unavailable. Furthermore, organizations that partner with a service provider get to inherit their controls and put them towards their own assessment. When it comes to inheritance, it can come in two forms: external and internal.

1. External Inheritance: Enables hosting, cloud, and service providers to make assessment scores available for inheritance into any organization’s scores. This makes it seamless, and automatic for an organization.
2. Internal Inheritance: Gives organizations the ability to inherit control scores from one of their assessments and apply them to others, streamlining the process. Internal inheritance allows for flexibility by allowing organizations to asses parts of their organization and build upon them through inheritance into subsequent assessments.

By partnering with a HITRUST certified service provider, organizations like yours can reap the benefits of an inheritance program to simplify the process.

Benefits of HITRUST Inheritance

It is no secret that achieving HITRUST CSF certification takes considerable time and energy. With HITRUST Inheritance, your organization gets to reallocate those internal resources to strategic initiatives and leave the heavy lifting to a service provider.

Here are a few other notable perks:

• Less testing and data entry required
• Reduced pre-audit and audit costs
• Lower ongoing expenses
• Simplified assessment process
• Detailed inheritance of control requirement scores
• Increased flexibility

Just envision partnering with a service provider for HITRUST Inheritance during this year’s audits. Your HITRUST-induced stress would virtually disappear. Sounds appealing, right?

Best Practices for Selecting the Right Provider

When choosing a compliant service provider, there are numerous factors to take into account. Here are some expert tips to help with this decision-making process.

• Identify Your Needs
  • The first critical step is recognizing where your organization is currently struggling and could use some help. A few things to keep in mind are:
    • What are my organization’s compliance strengths?
    • What are some areas that could be improved?
    • What are we ultimately hoping to achieve?

• Do Your Research
  • The next step is to do your research on HITRUST CSF certified service providers. Their websites should give you a pretty clear understanding of their history and the actual standards they uphold. From there, making a pros and cons list of everyone in the running is a great way to do a side-by-side comparison for the standards you require. (LightEdge always has a chart breaking down our certifications vs. the competition. We’d be happy to share it with you. Just let us know.)

• Responsibilities
  • One of the biggest concerns when it comes to HITRUST Inheritance is the division of responsibilities. If you feel like you have a good understanding of this going into the search process, outline this workflow and have it ready when you’re interviewing providers. If you need some assistance, your chosen partner should also be able to provide expert guidance to streamline tasks.

Four Critical Questions to Ask

When it comes to partnering with a service provider, there should be no limit to the questions you ask. After all, you’re trying to find someone that will take your compliance as seriously as you do.

Here are four recommended ones to get the dialogue going:

1. How long has your organization been HITRUST certified?
   1. This question should always be one of the first you ask. Make sure that the service provider you chose has extensive knowledge and experience. It takes time to learn the ins and outs of this complex certification.

2. Have you worked with organizations similar to mine?
   1. You want someone with a history of supporting organizations in your vertical, so there’s no learning curve going in. Some of the best service providers have a rich history of working with diverse organizations from a variety of industries. This allows you to benchmark your security maturity level against your peers and competition. You want to be leading the pack.

3. Do you have a library of expertise on this subject matter?
   1. It is normal for a HITRUST-certified organization to have ample resources available documenting their processes and certification standards. Ask to read press releases, blogs, whitepapers, and letters of attestation. They may even have a HITRUST page on their site for a deeper dive on the topic.

4. What level of support do you offer?
   1. You need to know how they will be able to support your organization. You need a trusted vendor whose offering will benefit your organization in the end.

Lastly, it is completely acceptable to ask the difficult questions. This will allow the top service providers to rise above the weaker providers. Always remember, it’s not what they say, it’s what they do.

LightEdge Can Accelerate Your HITRUST Certification Process

LightEdge is among an elite few service providers who have undergone the demanding process of attaining their HITRUST CSF Certification, plus the HITRUST Inheritance program. With LightEdge as your partner in compliant hosting solutions, you’re able to confidently state that you have the clarity, backing, and stamp of HITRUST approval. All seven of our world-class data centers are HITRUST-certified to keep your data safe.

The benefits are clear. You can save considerable internal resources when it’s time for an audit, protect your customers’ critical data with complete faith, and safeguard your brand from breaches with the backing of a trusted and recognized third party expert.

You can also quickly generate reports that map to the requirements of all your other requirements, including HIPAA, PCI, and ISO through LightEdge’s Compliance as a Service. LightEdge offers a free risk assessment from our Chief Security Officer as a resource to all of our customers. It’s safe to say, compliance and security are our top priorities and where we really set ourselves apart.

LightEdge is compliant with:

• ISO 27001
• ISO 20000-1
• SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3
• HIPAA
• HITRUST
• PCI DSS

If you are interested in getting a risk-free assessment from our healthcare compliance experts, a tour of any of our HIPAA and HITRUST compliant data centers, or in learning more about LightEdge’s compliance as a service benefits, contact us here. We have cloud hosting, security, and compliance experts standing by to answer any of your questions. 

Related Posts

• HITRUST 101: What You Need to Know
• HIPAA vs. HITRUST Infographic
• HIPAA Security and Awareness Training: An Integral Part Of The Compliance Strategy
• 4 Colocation Myths the Healthcare Industry Should Leave Behind
• HIPAA in the Cloud Infographic
• HIPAA Guidelines: Maintaining Security and Compliance in the Cloud