By Gina B. Pruitt, CPA
HIPAA, HITECH and HITRUST: The Path to Compliance
In Part 1 of this series – “What the H?” – we explored the basics of HIPAA, HITECH and HITRUST, as well as how these “H-words” apply to the security of protected health information (PHI). An understanding of these concepts is essential for entities handling PHI because compliance is legally required for HIPAA and HITECH. “How do I get – and stay – compliant?” is the (potentially million-dollar) question facing any entity handling PHI. Below, we’ll outline the recommended path to compliance.
Having an annual security and privacy risk analysis performed sets the foundation for successful HIPAA compliance. Under the Security and Privacy Rules, HIPAA legally requires covered healthcare entities (and their business associates, as addressed by HITECH) to analyze the specific risks and possible vulnerabilities their organizations face. Entities must also take “reasonable and appropriate” measures (i.e., the implementation of security and privacy controls) to eliminate potential risks to PHI.
HIPAA accounts for the fact that entities face differing security risks based on size, scope, and other factors. The law states: “Given that the healthcare marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks…”
A risk analysis, which should address the HIPAA Security Rule, Privacy Rule and Enforcement Rule, should be based upon criteria and standards established by the Office for Civil Rights (OCR), the Centers for Medicare and Medicaid Services (CMS), and recommendations of the National Institute of Standards and Technology (NIST).
Your organization’s risk analysis should address these fundamental questions:
What is the flow of PHI in our organization?
Know where PHI is stored within your system, as well as precisely how it is being created, received and transmitted. You’re also responsible for how business associates handle PHI because they must be HIPAA compliant as well. Covered entities should be aware of every server, computer, device, application, filing cabinet, e-mail, etc. that come into contact with PHI at any time.
How do our current IT systems make us vulnerable?
HIPAA requires that you test your security controls and identify specific threats to your systems. Are you using operating systems or software that can be easily hacked? Have you encrypted ALL devices (not just computers) that handle PHI? Is data encrypted in transit, at rest and when stored (i.e., including backups)? Though it’s not explicitly required by HIPAA, vulnerability scans and penetration testing are effective methods for identifying risks that need to be mitigated.
How do we minimize human error?
Human risk factors must be accounted for as well. Employee negligence when handling PHI (e.g., improper storage or disposal, transmission to the wrong party, falling prey to phishing scams, etc.) can lead to significant security breaches. First, know who in your organization has access to PHI and confirm that those individuals have a business need for such access. Then ensure that those with access are appropriately trained on HIPAA.
Organizations must also protect against meditated breaches. For example, a disgruntled former employee could attempt to sell sensitive information if his/her access was not terminated properly.
Risk Management Plan
Not all threats are equal. In addition to identifying vulnerabilities within your organization, you are responsible for assessing the severity of each threat. Your risk management plan moving forward should put controls in place to prioritize threats based upon potential impact.
Though HIPAA requires a risk analysis annually, one should view risk analysis as an ongoing, dynamic process. At any point during the year, your organization might adopt new office technology, bring on new personnel, or make other changes that require re-evaluation of your risks.
Entities should assign at least one person to oversee their compliance program. This person is responsible for ensuring the entity complies with both its external regulatory requirements and its internal policies.
How does HITRUST fit in?
As we explained in Part 1, HITRUST is a private organization of providers (hospitals, physician practices, etc.), and payers (insurance companies) that created a certifiable framework for healthcare technology security: HITRUST CSF.
This framework addresses the various security, privacy and regulatory challenges facing healthcare entities in order to help them comply with healthcare (HIPAA, HITECH), government (NIST, FTC), and third-party (PCI, COBIT) standards and regulations. Thus, though HIPAA is just one portion of the HITRUST CSF, the assessment process “is meant to serve as a HIPAA risk assessment and has been recognized as an acceptable risk management framework by HHS.” Thus, the HITRUST CSF can be leveraged for HIPAA compliance. However, it is important to note that the HITRUST CSF does not guarantee or issue a certificate of HIPAA compliance.
The path to HITRUST CSF Certification is an involved process — don’t expect an overnight turnaround. The following approach is recommended*:
- Complete a Readiness Assessment
To begin, your current control environment should be reviewed in order to identify gaps between current controls and the minimum HITRUST requirements. Hiring an experienced third-party HITRUST Certified CSF Assessor is recommended. However, you can perform this step yourself – as long as you’re honest and thorough.
- Perform a Self Assessment
Though the term is “self” assessment, you can either perform this step yourself or hire a third-party CSF Assessor to assist you (recommended).
Either way, you must first purchase the HITRUST Self Assessment Report and/or a subscription to the CSF Tool. By completing the information and questions in the Self Assessment, the CSF Tool identifies your population of HITRUST requirements based on your individualized risk factors (e.g., volume, transactions, cloud services, etc.).
Note: This process results in a report which can be provided to third parties to show that you’re committed to meeting the requirements of HITRUST. This report is not validated by HITRUST and does not result in certification, but it is a step towards that desired result because it provides the starting point for a CSF Assessor to test your HITRUST requirements, as explained in the next section.
- Seek Validation and/or Certification
Though it’s recommended that you utilize a third-party HITRUST CSF Assessor’s assistance for all steps, it is actually required for this portion. Once a Self Assessment has been completed, a HITRUST CSF Assessor will assess the testing performed during that process. If the CSF Assessor believes the testing was not adequate, the CSF Assessor is required by HITRUST to perform additional testing.
The CSF Assessor must document their assessment and supporting materials before submitting the assessment to HITRUST. In fact, only a CSF Assessor can submit the assessment on your behalf. HITRUST then reviews the assessment and determines if you’re in compliance with the HITRUST CSF. The results are either:
- CSF Validated Report
Once HITRUST reviews the submitted assessment, they will issue a validated report. Validation here purely means that it has been reviewed by HITRUST. If there are areas that don’t meet the compliance threshold, you will be informed through a CAP (corrective action plan) report.
- CSF Validated Report & CSF Certification
Entities that HITRUST has deemed in compliance with the CSF requirements will receive a validated report and a certification letter. These two items can be provided to customers and auditors, as well as included in a SOC 2 + HITRUST report. HITRUST certification is good for two years, as long as you complete an interim review and there’s no breach or drastic change in scope during that time.
* Though all steps are not currently required, this process allows an entity to become aware of its compliance deficiencies and correct those issues prior to submitting an assessment to HITRUST for validation and certification. CSF Certification will eventually be required for contracting with and payment from many of the large payers/insurance companies by the end of 2018. It’s advisable to start this process soon.
For a firm to become a HITRUST CSF Assessor, it must have a minimum of five individuals who are HITRUST Certified CSF Practitioners (CCSFP). To qualify for this certification, each person must have at least two years of experience in both healthcare and information security prior to beginning the application process. Then they complete six to 10 hours of guided self-study and approximately 20 hours of face-to-face training before sitting for a two-hour exam. To maintain the certification, the professionals must also participate in ongoing training and recertify every two years. Assessors are also required to develop and implement various organizational quality assurance procedures.
Though the use of a third-party HITRUST CSF Assessor is only required for the third step, it is recommended for all steps of the certification process. CCSFPs have been extensively trained and are intimately familiar with HITRUST and the CSF requirements, which allows them the insight and knowledge to perform these services in an efficient and effective manner.
Now that we’ve covered the basics of the “what” and “how” of healthcare information security compliance, we’ll address one final question: Why is it so important to stay compliant? We spell out the consequences and real-life horror stories in Part 3: Why the H?
Gina B. Pruitt, CPA, CITP, CISA, CGMA, CQA, CRISC, CEMB, CCSFP, CHFP is member-in-charge of the Risk Assurance & Advisory Services practice at KraftCPAs PLLC and has more than 30 years of experience in public accounting. A HITRUST Certified CSF Assessor, KraftCPAs works extensively with healthcare providers and related entities. For more information, contact Gina at firstname.lastname@example.org.