HIPAA, HHS OCR, and HITRUST | How do they all fit together

February 2, 2018
2630 Views

Written by HITRUST Independent Security Journalist Sean Martin. 

Given the complex regulatory and standards environment – albeit, designed to raise the level of an organization’s security posture – many organizations find that trying to figure out what assessments, actions, controls, audits, and reports are required can sometimes be a very daunting and confusing venture.

As one example, there can often be a misunderstanding surrounding what’s required when it comes to meeting the HIPAA requirements from a Department of Health and Human Service’s Office for Civil Rights (OCR) perspective.

In one particular case, we saw a tweet from Charlotte Tschider from Cyber Simple Security, where she accurately points out that:

“The HITRUST certification, although valuable and great framework, has not been approved by @HHSGov as default covering #HIPAA obligations. This is a misconception by companies pursuing HITRUST; you still have to demonstrate compliance during an OCR audit.”

In the spirit of helping to clarify what’s required from the OCR, Charlotte is correct in that the OCR does not endorse any credentialing or accreditation program, including their own: NIST. However, this should not deter organizations looking for the best possible way to address their compliance requirements, evaluating their information security posture and managing information risk.

To further this point, we can reference the article, How Texas is Boosting HIPAA Compliance, by Marianne Kolbasuk McGee (@HealthInfoSec) where, in the article, an OCR spokeswoman told Information Security Media Group: “While OCR does not endorse any particular credentialing or accreditation program, we certainly encourage covered entities and business associates to build strong compliance programs internally. Many of these credentialing/accreditation programs can help them do so.”

The spokeswoman further added: “OCR considers mitigation and aggravating factors when determining the amount of a civil monetary penalty, and these include the entity’s history of prior compliance. An entity with a strong compliance program in place, with the help of a credentialing/accreditation program or on its own, would have that taken into account when determining past compliance.”

As a standards organization, HITRUST® has spent the last ten years integrating and harmonizing regulatory requirements (such as HIPAA), industry and government standards (such as NIST) and other related best practices to help organizations manage their information security risk management and compliance requirements. This, of course, includes the HIPAA risk analysis requirement.

In fact, the HITRUST CSF is the leading controls standard in the healthcare industry (HIMSS survey). When coupled with its robust assessment and assurance program HITRUST can help organizations build the strong HIPAA compliance program OCR is looking for when conducting an audit or investigation.

As an organization driven to help the healthcare industry deliver better patient care through improved and streamlined risk management and compliance processes, the HITRUST framework and assurance methodology has been defined and built—and continues to be updated—to meet the requirements and gives organizations the documentation to support an OCR audit. This is demonstrated by the thousands of assessments completed and use of the HITRUST CSF by both state and federal regulators.

So, while the OCR does apply additional requirements to fulfill the letter of the law for HIPAA, HITRUST provides the substantiation that an organization can use to support their full HIPAA compliance. Our ultimate goal is to bring these efficiencies beyond HIPAA to enable organizations apply a single framework with a single assessment to multiple standards and regulations, further we raise the bar in terms of managing their cyber and information risk.

You may be interested

CCPA Compliance – How the Draft Regulations Help and Where They Don’t
Privacy
shares211 views
Privacy
shares211 views

CCPA Compliance – How the Draft Regulations Help and Where They Don’t

Lacy Deatrich - Nov 21, 2019

By Anne Kimbol, Chief Privacy Officer On October 11, 2019, the Notice of Proposed Rulemaking Action (NPRA) was released by…

Understanding and Improving the Role of Self-assessments in Third-Party Risk Management
Risk Management
shares482 views
Risk Management
shares482 views

Understanding and Improving the Role of Self-assessments in Third-Party Risk Management

Lacy Deatrich - Nov 11, 2019

By Dr. Bryan S. Cline, Chief Research Officer, HITRUST Information risk assessments are an integral component of the third-party risk…

Improving the Throughput and Transparency of the HITRUST Assurance Program
Assurance
shares518 views
Assurance
shares518 views

Improving the Throughput and Transparency of the HITRUST Assurance Program

Lacy Deatrich - Oct 25, 2019

By Bimal Sheth, Vice President — Assurance Services The HITRUST brand has always been synonymous with quality and it is…