Finding Regulatory Synergies Within the HITRUST Framework

Posted: November 3, 2017

HITRUST certification can support compliance with many other healthcare related regulations.

Currently there are many regulatory obligations placed on healthcare security and privacy officers.  The need to comply with a multitude of standards, laws, and regulations can be daunting.   There are synergies and overlaps, however, that can be utilized to ease this burden.  HITRUST certification is a perfect example of this.

Did you know that a HITRUST certification usually covers 75% or more of these standards, laws and regulations?

Let’s take a look at the HITRUST framework to better understand.

The foundation of the HITRUST standard framework is ISO 27001 with the core of HITRUST being the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to include the Security Rule, Breach Notification Rule and most of the Privacy Rule.

Healthcare organizations can be subject to additional standards, laws and regulations outside of HIPAA, including but not limited to, FISMA, FTC, Joint Commission, State Laws, CMS Minimum Security Requirements, MARS-E, FTI, De-Identification, and NIST Cyber Security Framework.

The HITRUST Standard provides the ability to include all applicable standards, laws and regulations into one assessment. During the scoping process of a HITRUST Assessment, the selected requirements per assessment will be dependent on the applicable standards, laws and regulations, in addition to organization classification and size.

Healthcare Organization Classifications:

  1. Covered Entities (Health Care Providers, Health Plans and Healthcare Clearing Houses)
    1. Health information Exchange (HIE)
    2. Hospital/Inpatient Facility
    3. Payer
    4. Pharmacy/Pharmacy Benefit Management (PBM)
  2. Business Associates (Organizations that provide a service, function or activity to Covered Entities, that involves PHI data)
    1. Service Provider (IT)
    2. Service Provider (non-IT)

Do you need help understanding what standards, laws and requirements apply to our environment?  As a HITRUST certified assessor, we can help.  Contact us today to learn more.

Martha Raber

Author: Martha Raber

Martha Raber is a HIPAA Security Consultant for CompliancePoint’s Information Security Practice. Her knowledge spans across multiple industries and entities including healthcare, telecommunications, and travel technology (airlines and SaaS). Martha’s passion lies with knowing she can help Organizations meet compliance and mitigate risk through Gap and Risk Assessments and by providing recommendations for meeting regulatory requirements and internal organizational objectives. Martha has earned the HITRUST CSF Practitioner, CISSP, and CompTIA Security+ certifications. She has also earned a Master’s of Science in Information Systems and a certification in Business Management from Stratford Career Institute.

Leave a Reply

Your email address will not be published. Required fields are marked *

Reduce risk, maintain a compliant posture, and protect info