HIPAA, HHS OCR, and HITRUST | How do they all fit together

February 2, 2018
1252 Views

Written by HITRUST Independent Security Journalist Sean Martin. 

Given the complex regulatory and standards environment – albeit, designed to raise the level of an organization’s security posture – many organizations find that trying to figure out what assessments, actions, controls, audits, and reports are required can sometimes be a very daunting and confusing venture.

As one example, there can often be a misunderstanding surrounding what’s required when it comes to meeting the HIPAA requirements from a Department of Health and Human Service’s Office for Civil Rights (OCR) perspective.

In one particular case, we saw a tweet from Charlotte Tschider from Cyber Simple Security, where she accurately points out that:

“The HITRUST certification, although valuable and great framework, has not been approved by @HHSGov as default covering #HIPAA obligations. This is a misconception by companies pursuing HITRUST; you still have to demonstrate compliance during an OCR audit.”

In the spirit of helping to clarify what’s required from the OCR, Charlotte is correct in that the OCR does not endorse any credentialing or accreditation program, including their own: NIST. However, this should not deter organizations looking for the best possible way to address their compliance requirements, evaluating their information security posture and managing information risk.

To further this point, we can reference the article, How Texas is Boosting HIPAA Compliance, by Marianne Kolbasuk McGee (@HealthInfoSec) where, in the article, an OCR spokeswoman told Information Security Media Group: “While OCR does not endorse any particular credentialing or accreditation program, we certainly encourage covered entities and business associates to build strong compliance programs internally. Many of these credentialing/accreditation programs can help them do so.”

The spokeswoman further added: “OCR considers mitigation and aggravating factors when determining the amount of a civil monetary penalty, and these include the entity’s history of prior compliance. An entity with a strong compliance program in place, with the help of a credentialing/accreditation program or on its own, would have that taken into account when determining past compliance.”

As a standards organization, HITRUST® has spent the last ten years integrating and harmonizing regulatory requirements (such as HIPAA), industry and government standards (such as NIST) and other related best practices to help organizations manage their information security risk management and compliance requirements. This, of course, includes the HIPAA risk analysis requirement.

In fact, the HITRUST CSF is the leading controls standard in the healthcare industry (HIMSS survey). When coupled with its robust assessment and assurance program HITRUST can help organizations build the strong HIPAA compliance program OCR is looking for when conducting an audit or investigation.

As an organization driven to help the healthcare industry deliver better patient care through improved and streamlined risk management and compliance processes, the HITRUST framework and assurance methodology has been defined and built—and continues to be updated—to meet the requirements and gives organizations the documentation to support an OCR audit. This is demonstrated by the thousands of assessments completed and use of the HITRUST CSF by both state and federal regulators.

So, while the OCR does apply additional requirements to fulfill the letter of the law for HIPAA, HITRUST provides the substantiation that an organization can use to support their full HIPAA compliance. Our ultimate goal is to bring these efficiencies beyond HIPAA to enable organizations apply a single framework with a single assessment to multiple standards and regulations, further we raise the bar in terms of managing their cyber and information risk.

Share this with your friends...Share on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

You may be interested

From Providers to Patients: Time to Protect the Entire Healthcare Supply Chain
Leadership
shares88 views
Leadership
shares88 views

From Providers to Patients: Time to Protect the Entire Healthcare Supply Chain

Lacy Deatrich - Dec 18, 2018

Written by Taylor Lehmann, Chief Information Security Officer, Wellforce The patient-care ecosystem is a complex mix of healthcare providers, payers…

New National Risk Management Center to Help Combat Cybersecurity
Security
shares2254 views
Security
shares2254 views

New National Risk Management Center to Help Combat Cybersecurity

Lacy Deatrich - Aug 24, 2018

Details forthcoming in new Department of Homeland Security initiative Written by Carl Anderson, Chief Legal Officer & Senior Vice President…

HITRUST 2018: Here’s an Impressive Set of Experts Ready to Share Their Risk Management Knowledge
Leadership
shares913 views
Leadership
shares913 views

HITRUST 2018: Here’s an Impressive Set of Experts Ready to Share Their Risk Management Knowledge

Lacy Deatrich - Aug 07, 2018

Written by HITRUST Independent Security Journalist Sean Martin. With HITRUST 2018 coming up soon—September 11-13 at the Gaylord Texan Resort…