HIPAA vs. HITRUST CSF: Which One Should I Choose?
by Sarah Harvey / March 23rd, 2020
Stolen medical records, research, prototypes, prescriptions, devices – there are so many ways that healthcare organizations can be compromised. Each of these risks threaten patient care in a different way, but they could each lead to life-or-death consequences. That is why it’s so important that healthcare organizations undergo the right type of information security audit – to ensure that they are protected in every way that they can be. We’ve consulted with many organizations who are confused about what HIPAA is, what the HITRUST CSF™ is, which one they should pursue, if they need to pursue both, etc. Let’s dig into what each assessment involves so that you can begin the decision process.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) sets a national standard for the protection of PHI and ePHI by mandating risk management best practices and physical, administrative, and technical safeguards. HIPAA was established to provide greater transparency for individuals whose information may be at risk, and the Department of Health and Human Services’ Office for Civil Rights (OCR) enforces compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
HIPAA Security Rule
The goal of the Security Rule is to create security for ePHI by ensuring the confidentiality, integrity, and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, and ensuring workforce compliance. The requirements of the Security Rule are accomplished through administrative, technical, and physical safeguards. Administrative safeguards cover personnel, training, access, and process while technical safeguards cover access, audits, integrity, and transmission. Physical safeguards cover facility access, workstations, and devices.
HIPAA Privacy Rule
The Privacy Rule regulates things like appropriate use and disclosure of PHI, patient access to PHI, and patient rights. The Privacy Rule is crucial for HIPAA because without it, healthcare organizations could disclose and distribute PHI without the consent of the individual. A Privacy Rule assessment evaluates policy and procedure documentation relating to these areas, which include: Notice of Privacy Practices, patient rights, minimum necessary standard, administrative requirements, and uses and disclosures.
HIPAA Breach Notification Rule
The Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unprotected PHI or ePHI. Covered entities have three parties that they need to notify of a breach: patients, HHS, and potentially the media. Business associates always need to notify their covered entity of a breach. In order to properly comply with the Breach Notification Rule, there are several aspects of the breach your organization needs to communicate to the affected parties: what happened, what kind of PHI was disclosed in the breach, what patients should do to mitigate harm, what you’re doing to investigate and mitigate future harm, and how they can contact you.
What is the HITRUST CSF?
The HITRUST CSF is a certifiable framework for regulatory compliance and risk management. It was built on the primary principles of ISO 27001/27002, but has evolved to align with a growing number of standards, regulations, and business requirements, including HIPAA, PCI DSS, NIST 800-53/800-171, GDPR, FTC Red Flags Rule, several state requirements, and more.
When the CSF was first popularized, it was primarily focused on healthcare organizations. The changes reflect HITRUST’s effort to leverage international standards and expand adoption into new industries, such as financial services, travel and hospitality, media and entertainment, telecommunications, and startups.
Choosing what type of HITRUST CSF assessment to do can be a daunting task, especially when an organization is doing this audit for the first time. HITRUST CSF assessment options include:
SOC 2 Type II with HITRUST CSF Mapping
A SOC 2 Type II with HITRUST CSF mapping is an assessment that came from a collaboration between the AICPA and HITRUST. This assessment culminates in a SOC 2 report that includes a table that maps the selected Trust Services Criteria to HITRUST CSF controls.
SOC 2 Type II with HITRUST CSF Criteria
A SOC 2 Type II audit can be performed using the HITRUST controls and criteria instead of the Trust Services Criteria. In this case, the organization still receives a SOC 2 report, not HITRUST CSF certification. This type of reporting option is chosen when a service organization wants its service auditor to express an opinion on whether the controls at the service organization are suitably designed and operating effectively to meet the HITRUST CSF requirements.
SOC 2 Type II and HITRUST CSF Certification
When a SOC 2 Type II report and HITRUST CSF certification is required, organizations have the ability to combine these two audits into one effort – getting the full benefit of both audits while reducing the time and effort it takes to complete them separately. At the end of the audit process, the organization receive both a SOC 2 Type II audit report and HITRUST CSF validated report.
HITRUST CSF Self-Assessment
A HITRUST CSF self-assessment is a great way to begin your HITRUST compliance efforts, and is what KirkpatrickPrice recommends to clients who are just starting out. This option is your own evaluation and attestation of your organization’s compliance, completed in 90 days and culminating in a report.
HITRUST CSF Validated Assessment
A HITRUST CSF validated assessment is performed by an approved CSF Assessor, like KirkpatrickPrice. Validated assessments include a HITRUST CSF self-assessment in which you answer questions and attest to your compliance, followed by a CSF Assessor validating your controls against what you have said is in place, and HITRUST granting certification.
Should You Choose a HIPAA or HITRUST CSF Assessment?
Need help consulting which audit is appropriate or required for your organization? KirkpatrickPrice is here to help. We are passionate about enabling healthcare organization to provide better patient care through information security efforts. Let’s talk today about HIPAA, HITRUST, and other elements of security programs in healthcare.
