Security rules surrounding the healthcare industry and its technology can seem overwhelmingly complicated and strict, but the Health Information Trust Alliance (HITRUST) is becoming a viable and simplified option for both vendors and covered entities. Even with HITRUST, healthcare providers still have some questions. What exactly is HITRUST, how does it differ from HIPAA, and how can healthcare organizations leverage this framework?
The Health Information Trust Alliance is the organization that created and maintains ongoing changes to the Common Security Framework (CSF). HITRUST is responsible for the effort to bring a certifiable, universal framework that includes all HIPAA, PCI DSS, ISO 27001, ISO 20000-1, and NIST compliance regulations.
What is HITRUST?
The HITRUST CSF is a healthcare cybersecurity framework that includes both federal and state regulations. The goal for HITRUST’s cybersecurity framework is to set a comprehensive baseline for healthcare security controls. Creating a normalized and universally recognized framework, HITRUST provides organizations with clarity and consistency for compliance with healthcare security requirements.
Organizations can become HITRUST-certified by having a third-party auditor come onsite to validate the use of specific controls; those controls may vary based on the company’s size and complexity, and include requirements such as proper access control, security policy, asset management, incident management, and business continuity management.
With ongoing improvements, the HITRUST CSF has become the most popular and widely adopted security framework in the U.S. healthcare industry. It is important for the healthcare industry to understand the difference between HITRUST and the Health Insurance Portability and Accountability Act (HIPAA) as they are closely related, but not interchangeable.
HITRUST vs. HIPAA
By now, the healthcare industry is familiar with HIPAA regulations and their purpose. It is critical to understand in order to ensure confidentially, integrity, and availability of any data created, received, maintained or transmitted, while simultaneously protecting data against threats. For six years in a row, data breaches in the healthcare industry have increased in frequency, impact, and cost. That said, it is clear that HIPAA is a regulatory baseline for data protection but does not offer comprehensive security for today’s evolving threats.
The rise in breaches are, in part, due to HIPAA’s unclear standards on appropriate protections of data and devices that contain sensitive data. Organizations implement controls that are insufficient and do not adequately link to applicable risk assessments because of HIPAA’s vague guidelines. Organizations rarely have the internal expertise and oversight to cover all of HIPAA’s required and “optional” measures. However, HITRUST closes the gap and provides clear standards for data protection.
“Within the HIPAA Security Rule, certain specifications are required, and others are addressable. An organization can choose not to implement addressable specifications if there is a valid business reason,” says Joe McDermott, a HITRUST technical lead with Schellman.
HITRUST CSF was developed in conjunction with healthcare employees to address their needs. It aids organizations by providing an efficient framework for logical and physical security needs that go beyond HIPAA compliance. The HITRUST CSF integrates many existing requirements from HIPAA and other data protection frameworks to create a universal protection standard void of any inconsistencies. HIPAA is still a valuable tool and should not be ignored, but HITRUST is prescriptive approach to meeting HIPAA security requirements.
Benefits of a HITRUST-Certification
While there is no official certification for HIPAA, it is possible to become HITRUST certified. Through a third-party assessment, HITRUST can verify your organization has met all industry-defined certification requirements of the CSF certification offers your organization multiple benefits. Choosing an IT provider that is HITRUST certified allows you to offload the responsibilities and cost of becoming certified, while letting you take advantage of best-in-class security measures including policies, procedures, and technology.
With a certified IT provider, your organization saves time and money in preparation for an audit. The audit process is simplified, since you will already have much of the documentation and reports need to prove your compliance efforts.
Benefits of a HIPAA
While there is no certification for HIPAA, LightEdge has successfully undergone a third-party examination against the HIPAA Security Rule and HITECH Breach Notification Requirements and has been issued a Type 1 attestation report from an independent CPA firm. This means our facilities have the HIPAA colocation requirements to keep your data HIPAA-compliant.
Finding a HIPAA-compliant data center and colocation provider that meets the necessary HIPAA standards will allow you to focus on innovating and improving the patient experience and business efficiency within your healthcare organization.
Colocation and cloud hosting providers protect your sensitive healthcare data in the event of an emergency by acting as a disaster recovery location. Our secure infrastructure and expertise in both compliance and the healthcare industry, combined with our private cloud offerings, and ongoing education and training will ensure your data is safe from a physical or cyber breach.
The increase in data breaches throughout the healthcare industry has given rise to new concerns over compliance and regulations, and for good reason. HIPAA regulations describe essential practices for protecting sensitive data, but without the ability to become ‘HIPAA certified,’ organizations must request to know their colocation partner has been issued a Type 1 attestation report from an independent CPA firm.
To a degree, the lack of an industry-standard cybersecurity framework leaves the choice and extent of data cybersecurity measures up to the covered entity (CE) and (BA) business associate.
HITRUST CSF provides organizations with a universal, industry-designed cybersecurity framework to eliminate any confusion over regulations and compliance issues. Through the incorporation of various other frameworks, the HITRUST CSF offers comprehensive data protection. Choosing a HITRUST-certified IT provider delivers peace of mind needed when handling sensitive data.
LightEdge Knows HIPAA and HITRUST Compliance
LightEdge has HIPAA and HITRUST secure data center locations at our Des Moines, Kansas City, Omaha, and newly acquired Austin and Raleigh data center facilities. With LightEdge, you can achieve auditable HIPAA and HITRUST compliance. With a specific background working with healthcare organizations, our data center and hosting solutions provide you with confidence you need to meet HIPAA requirements.
LightEdge offers a free risk assessment from our Chief Security Officer and Chief Compliance Officer as a free resource to all of our customers. Compliance and security are top priorities to guarantee that your data is protected. While there is no certification for HIPAA, LightEdge has successfully undergone a third-party examination against the HIPAA Security Rule and has been issued a Type 1 AT 101 letter of attestation confirming our alignment with HIPAA safeguards.
Very few hosting providers have gone through the demanding process of attaining the HITRUST CSF Certification. With LightEdge as your partner in compliant hosting solutions, you’ll be able to confidently state that you have the clarity, backing, and certification of HITRUST. Our Austin Data Center is HITRUST-Compliant to keep your data safe. The benefits are clear: you save considerable time and money when it’s time for an audit, and you protect your customers’ critical data. Quickly generate reports that map to the requirements of your regulations, including HIPAA, PCI, and ISO. Safeguard your brand from breaches with the certification of a trusted and recognized third-party.
LightEdge is compliant with:
- ISO 27001
- ISO 20000-1
- SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3
- PCI DSS 3.2
If you are interested in getting a risk free assessment from our healthcare compliance experts, a tour of any of our HIPAA and HITRUST compliant data centers or to learn more about LightEdge’s compliance offers, contact us here. We have cloud hosting security and compliance experts standing by to answer any of your questions.
If you want to learn more about HIPAA vs. HITRUST compliance download our two e-books, Patient Privacy and Data Security: Utilizing IT Vendors to Meet HIPAA Compliance and Avoid, and How to Deploy a Secure Compliant Cloud for Healthcare.
- 4 Colocation Myths The Healthcare Industry Should Leave Behind
- Control the Risks of IoT and BYOD in Healthcare: Part I
- Control the Risks of IoT and BYOD in Healthcare: Part II
- How to Ensure Compliance in the Cloud Infographic
- HIPAA in the Cloud Infographic
- HIPAA Guidelines: Maintaining Security and Compliance in the Cloud