HIPAA HITRUST
Share This Article

In the healthcare industry, HIPAA is a given, and many organizations have unfortunately learned the hard way exactly what a violation of HIPAA policies and guidelines can cost in terms of fines and customer loyalty.

HIPAA extends far beyond the obvious healthcare facilities and also impacts insurance agencies, medical supply manufacturers, regulated SaaS serving the medical industry, and more. As HIPAA’s scope broadens, it’s easy to see how the possibility of violations can also increase—and these violations may make organizations more susceptible to data breaches. This is why HITRUST is such a critical certification the compliance arsenal of any organization connected to the healthcare industry.

What is HITRUST

With individual healthcare companies seeing thousands of patients daily, they are held to the highest level of compliance when it comes to protecting personal health information (PHI), and so are their suppliers and other covered entities. At its very core, HITRUST was established to help mitigate the risks associated with a data breach of any of that private data through a rigorous set of controls.

When an organization works toward HITRUST, they become familiar with the provided Common Security Framework (CSF) that allows for the consistent implementation of HIPAA requirements. More specifically, HITRUST CSF provides a tested and proven outline to follow for any organizations that create, assess, store, or exchange PHI and financial information.

How does HITRUST Help Me Avoid Data Breaches?

HITRUST revolves around security and is the gold standard for those in or involved with the healthcare industry. By following the consistent implementation of HIPAA requirements as well as locking down your data security, you are creating fewer vulnerabilities for threat actors to exploit, giving you peace of mind that you’re maintaining a system worthy of your customers’ trust.

Additionally, your commitment to compliance excellence and the frequent auditing process to maintain the certification because it offers you the opportunity to create a culture of continual improvement. Your compliance strategy’s evolution over the course of an audit process and throughout the maintenance of the certification gives you a leg up against the competition.

How do I get Certified?

While the time it takes can vary from organization to organization, the HITRUST audit process can feel like an uphill battle. In order to achieve the coveted HITRUST certification, you must successfully demonstrate your organization’s ability to meet all the controls required for the current year’s certification—and they do change slightly from year to year. From there, you must score a rating of three or higher on HITRUST’s scale of one to five for most control domains documented in MyCSF.

LightEdge has successfully achieved HITRUST certification, so we understand just how daunting this may seem. Here’s what we’ve found works to help ensure the best possible outcome for your organization’s audit process:

Step 1: Understand the Responsibility of Each Employee

Your IT team is not the only part of your organization that will get you certified. Everyone in your organization has to be on board with the process. You will need to dedicate time and energy educating employees on what HITRUST is and the role each employee plays in earning and maintaining the certification—and the impact if they fail to do so. For example, HITRUST requires members of your Security Team to stay up-to-date on the latest cybersecurity threats and trends—and the lost scores if they don’t could mean trouble attaining next year’s certificate.

Step 2: Documentation is Key

Write everything down and store it securely for the auditors to access. If you don’t document your processes for security and compliance, you simply can’t achieve this certification. You have to be able to provide substantial evidence that your organization is operating within the provided framework.

Step 3: Appoint your Organization’s CSF Assessor

It’s important to have a dedicated member of your team to help you prepare for your audit. This is where a CSF assessor will come in. A CSF assessor is a member of your team who has already undergone the HITRUST certification process successfully. Make sure your accessor can stay cool under pressure and is used to dealing with facts and evidence-based data points. Having their validation will be a critical piece in your HITRUST journey as they will evaluate your performance and guide you in the right direction.

Step 4: Be Ready to Rinse and Repeat

Your journey doesn’t end when you attain your HITRUST certification. You will need to repeat this process each year if you want to maintain it. Your organization must complete annual reviews for the policies and procedures against which you were initially assessed—and be prepared to meet new requirements as they are added to the certification. If you can’t repeat the process that you may have spent several months, or even years working on, you won’t be able to keep your certification and will be back at square one.

A Note Before Continuing

It’s important to be aware of your organization’s compliance budget before beginning the HITRUST audit process. This is one of the costlier certifications to attain, a conservative estimate ranging from $50,000 to $200,000, not including routine maintenance and ongoing preparation for the next year’s audit.

Another cost is the time it takes for your professionals to sit with auditors and prepare for the process, which costs both their salaries and the lost productivity that could have been diverted to revenue-generating activities. With the typical HITRUST audit process ranging from nine months to one year, this is hardly an insignificant amount of time.

What Can I do to Expedite the Process?

If you’re a little hesitant to jump into the HITRUST process by yourself, you’re not alone, but don’t let that deter you from reaching for the compliance stars. Did you know that there’s a program that can make the process a little easier for you? Select cloud hosting providers can help you offload significant burden and responsibility. Ask your provider about HITRUST Inheritance.

If you have a provider that offers HITRUST Inheritance, you can save a significant amount of time and money when it’s time to undergo your annual audit, protect your customers’ critical data with complete faith, and safeguard your brand from breaches with the backing of a trusted and recognized third party expert. Depending on how you leverage your cloud provider, you can inherit their scores for some elements of your audit process.

Your provider can quickly generate reports that map to the requirements of all your other requirements, including HIPAA, PCI, and ISO through LightEdge’s Compliance as a Service. LightEdge offers a free risk assessment from our Chief Security Officer as a resource to all of our customers. It’s safe to say, compliance and security are key differentiators for us when it comes to how we serve our customers.

LightEdge’s HITRUST Inheritance Makes HITRUST Accessible and Achievable

LightEdge is among fewer than twenty providers who have undergone the demanding process of attaining their HITRUST CSF Certification, plus the HITRUST Inheritance program. With LightEdge as your partner in compliant hosting solutions, you’re able to confidently state that you have the clarity, backing, and stamp of HITRUST approval. All seven of our world-class data centers are HITRUST-certified to keep your data safe.

If you are interested in getting a risk-free assessment from our healthcare compliance experts, a tour of any of our HIPAA and HITRUST compliant data centers, or in learning more about LightEdge’s compliance as a service benefits, contact us here. We have cloud hosting, security, and compliance experts standing by to answer any of your questions. 

 


Share This Article
director of compliance
Michael Hannan

Michael has eleven years of information systems, IT, consulting, and compliance experience. His expertise includes identifying and implementing general IT systems, applications, and business controls in conjunction with external compliance audits.

Michael is currently the Director of Compliance at LightEdge, helping to establish, maintain and, enforce the information security policies and procedures that keep LightEdge customers protected at all times.

See Full Bio