By Ali Pabrai, Chief Executive, ecfirst.
The start of 2017 has witnessed two entities fined for over $2.5 million for lack of a credible HIPAA compliance program. HIPAA compliance in 2017 is at least a seven-figure risk to covered entities and business associates. Does your organization have a credible HIPAA compliance program? What does compliance with HIPAA require? How does an organization establish a credible HIPAA compliance program? How is senior leadership assured the organization has an enterprise-wide HIPAA compliance program that continually addresses HIPAA mandates? These questions must be answered to give senior leadership the confidence that the risk associated with HIPAA non-compliance has been significantly reduced.
The HIPAA settlements, fines, and Corrective Action Plans (CAP) from 2016 and now in 2017 provide a clear directive to the healthcare industry (as well as business associates) – establish a credible, evidence-based HIPAA compliance program. If you fail to do so, senior leadership must recognize the organization is at a significant business risk in terms of dollars – often seven figures or more.
This article examines how the HITRUST CSF provides a credible and a comprehensive framework for an organization to continually address HIPAA and HITECH regulatory requirements. Why is this so important? Simply put, continually meeting HIPAA mandates and establishing the foundation for an enterprise cyber security program significantly reduces the business risk to the organization.
Why the HITRUST CSF for HIPAA Compliance?
The HITRUST CSF provides a comprehensive, scalable, and a technology-neutral framework to address HIPAA mandates. It is a formal and formidable framework, developed specifically for the healthcare industry, to address privacy and security regulatory requirements. We know compliance with HIPAA requires an organization to address the following on a continual basis:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HITECH Breach Notification
Everything in the HIPAA and HITECH regulations comes down to these three words: “reasonable and appropriate.” This implies the organization must implement “reasonable and appropriate” safeguards to secure all enterprise ePHI.
The HITRUST CSF enables an organization, be it a covered entity or a business associate, to formally address these HIPAA mandates. With the application of the HITRUST CSF, an organization knows the exact gaps to address to help ensure credible HIPAA compliance.
HIPAA Safeguards Map to HITRUST CSF Control Categories/Domains
The pillars of HIPAA compliance are based on defined safeguards (e.g. Administrative, Physical, Technical and others), as well as Standards and Implementation Specifications. The HITRUST CSF is architected on the ISO/IEC 27001:2005 control clauses. All HIPAA requirements are mapped by the HITRUST CSF to Control Categories/Domains. The CSF is comprised of:
- 14 Security Control Categories
- 46 Control Objectives
- 149 Control Specifications
Control Categories/Domains include Access Control, Security Policy, Business Continuity Management, Privacy Practices and more. Each control domain consists of one or more control objectives; a control may have up to three levels of implementation requirements. These may include requirements integrated from several sources and standards such as HIPAA, PCI DSS, and NIST.
Why are these control domains relevant for HIPAA compliance? These control domains in HITRUST map back and address all HIPAA-related Standards and associated Implementation Specifications. For example, the Sanctions Policy Implementation Specification in the HIPAA Security Rule maps to Disciplinary Process in the HITRUST CSF v8.
The HITRUST CSF establishes maturity levels relevant to evaluating an organization’s compliance and security program. There are five formally defined maturity levels:
By basing an organization’s HIPAA compliance program on the HITRUST CSF, we can determine, in a structured way, how compliance requirements are being addressed for each of the defined HIPAA requirements. Have policies been developed? Are procedures practiced? Which controls have been implemented? What are the control deficiencies? How are the controls monitored and managed?
The HITRUST CSF defines the compliance scale maturity levels as:
- Non-Compliant (NC)
- Somewhat Compliant (SC)
- Partially Compliant (PC)
- Mostly Compliant (MC)
- Fully Compliant (FC)
The compliance scale maturity levels formalize and validate the maturity of the organization’s HIPAA compliance program. Finally, the HITRUST CSF defines maturity ratings to help an organization understand how effectively they are addressing their compliance and security requirements. The defined HITRUST maturity ratings range from Level 1 (lowest) to Level 5 (highest).
Closing Remarks for Senior Executives
Don’t wait until it’s too late. Tomorrow starts now! Establish a credible HIPAA compliance program aligned with the HITRUST CSF. Prioritize the completion of HITRUST certification. Applying the HITRUST CSF to address HIPAA mandates requires the following key steps:
- Integrate the HITRUST Risk Management Framework into your information protection program.
- Conduct a comprehensive HITRUST CSF Self-Assessment.
- Perform HITRUST CSF Validation and Certification.
- Manage and maintain HITRUST CSF Certification‒ Continually
The bottom-line recommendation for HIPAA compliance:
HITRUST CSF = Credible HIPAA Compliance!
The HITRUST CSF certification helps support an organization’s assertion of HIPAA compliance. When you think of HIPAA compliance, think HITRUST CSF certification. Get started now!
Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), Security+, a cyber security & compliance expert, is the chief executive of ecfirst.
You may be interested
HITRUST 2017 Recap – Part 1Robert Whitfield - May 15, 2017
The HITRUST 2017 event was another huge success, with over 400 attendees collaborating and learning from each other as experts…
Partnering with Vendors to Secure PHIRobert Whitfield - Apr 21, 2017
Written by Bob Quandt, interim ISO for Sharecare as owner of Bullseye Compliance, LLC. Third-party risk continues to be one…