HIPAA, HHS OCR, and HITRUST | How do they all fit together

February 2, 2018
563 Views

Written by HITRUST Independent Security Journalist Sean Martin. 

Given the complex regulatory and standards environment – albeit, designed to raise the level of an organization’s security posture – many organizations find that trying to figure out what assessments, actions, controls, audits, and reports are required can sometimes be a very daunting and confusing venture.

As one example, there can often be a misunderstanding surrounding what’s required when it comes to meeting the HIPAA requirements from a Department of Health and Human Service’s Office for Civil Rights (OCR) perspective.

In one particular case, we saw a tweet from Charlotte Tschider from Cyber Simple Security, where she accurately points out that:

“The HITRUST certification, although valuable and great framework, has not been approved by @HHSGov as default covering #HIPAA obligations. This is a misconception by companies pursuing HITRUST; you still have to demonstrate compliance during an OCR audit.”

In the spirit of helping to clarify what’s required from the OCR, Charlotte is correct in that the OCR does not endorse any credentialing or accreditation program, including their own: NIST. However, this should not deter organizations looking for the best possible way to address their compliance requirements, evaluating their information security posture and managing information risk.

To further this point, we can reference the article, How Texas is Boosting HIPAA Compliance, by Marianne Kolbasuk McGee (@HealthInfoSec) where, in the article, an OCR spokeswoman told Information Security Media Group: “While OCR does not endorse any particular credentialing or accreditation program, we certainly encourage covered entities and business associates to build strong compliance programs internally. Many of these credentialing/accreditation programs can help them do so.”

The spokeswoman further added: “OCR considers mitigation and aggravating factors when determining the amount of a civil monetary penalty, and these include the entity’s history of prior compliance. An entity with a strong compliance program in place, with the help of a credentialing/accreditation program or on its own, would have that taken into account when determining past compliance.”

As a standards organization, HITRUST® has spent the last ten years integrating and harmonizing regulatory requirements (such as HIPAA), industry and government standards (such as NIST) and other related best practices to help organizations manage their information security risk management and compliance requirements. This, of course, includes the HIPAA risk analysis requirement.

In fact, the HITRUST CSF is the leading controls standard in the healthcare industry (HIMSS survey). When coupled with its robust assessment and assurance program HITRUST can help organizations build the strong HIPAA compliance program OCR is looking for when conducting an audit or investigation.

As an organization driven to help the healthcare industry deliver better patient care through improved and streamlined risk management and compliance processes, the HITRUST framework and assurance methodology has been defined and built—and continues to be updated—to meet the requirements and gives organizations the documentation to support an OCR audit. This is demonstrated by the thousands of assessments completed and use of the HITRUST CSF by both state and federal regulators.

So, while the OCR does apply additional requirements to fulfill the letter of the law for HIPAA, HITRUST provides the substantiation that an organization can use to support their full HIPAA compliance. Our ultimate goal is to bring these efficiencies beyond HIPAA to enable organizations apply a single framework with a single assessment to multiple standards and regulations, further we raise the bar in terms of managing their cyber and information risk.

Share this with your friends...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

You may be interested

HITRUST Sessions Demonstrate the Value of Using a Framework for Certification and How Cybersecurity Efforts Need to Consider the Physician Perspective
Leadership
shares251 views
Leadership
shares251 views

HITRUST Sessions Demonstrate the Value of Using a Framework for Certification and How Cybersecurity Efforts Need to Consider the Physician Perspective

Lacy Deatrich - May 03, 2018

Written by HITRUST Independent Security Journalist Sean Martin. As part of the commitment to support and engage with healthcare organizations…

Facebook and GDPR Show the Importance of Third Party Privacy Monitoring
Privacy
shares390 views
Privacy
shares390 views

Facebook and GDPR Show the Importance of Third Party Privacy Monitoring

Lacy Deatrich - May 02, 2018

Written by Anne Kimbol, Assistant General Counsel – Chief Privacy Officer at HITRUST The Facebook-Cambridge Analytica issue became public at…

Looking Back One Year Ago, We May Still WannaCry
Cyber
shares832 views
Cyber
shares832 views

Looking Back One Year Ago, We May Still WannaCry

Lacy Deatrich - Apr 05, 2018

Written by Elie Nasrallah, CISSP, Director – Cyber Security Strategy at HITRUST Research from Trend Micro and HITRUST points to…