A right to individual privacy and security of our personal information is a closely held belief for all of us, perhaps more so when it comes to our private medical information. With stories of rogue entities hacking patient databases, Private Health Information (PHI) being intercepted during information exchange, and ransomware that financially exploits companies or risks their patient’s details being released on the web, it is easy to feel like it is only a matter of time before your information is exposed. For patients and medical professionals alike, it’s clear that a new more effective standard or framework for protecting PHI must be implemented.
That standard and framework is HITRUST.
But wait… What is HITRUST?
Simply put, the Health Information Trust Alliance (HITRUST) is common security framework (CSF) designed for healthcare entities to insure sensitive information remains safe and secure. Rather than just taking someone’s word for it, it is also a way for healthcare companies and individuals to vet the trustworthiness of another entity’s ability to securely handle sensitive information.
More specifically, HITRUST is an extensive certification program that combines over a dozen different security standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC) into one organized Common Security Framework (CSF). It is intended for any and all entities that create, access, store, or exchange personal health and financial information. In order to be HITRUST certified an organization must adopt the CSF and insure that hundreds of policies and procedures are documented and that these policies and procedures, along with the proper technology, are implemented, measured and managed. A certified company goes through a thorough on-site audit by a third party certified CSF assessor and then another thorough review of that assessor’s findings by the HITRUST organization itself before issuing that company with its certification.
Okay, why the heck would an organization want to get HITRUST certified?
Basically, a company implements the security framework and then has it completely reviewed by an independent third party, and then by HITRUST. Why? It’s fun! Not really. An organization gets the certification so each person or entity they do business with can trust them without having to go through a painstaking process of forensically vetting that company’s technology, people, and processes before trusting them. The independent certified HITRUST assessor and HITRUST have already done that vetting.
Okay, so what does all of that mean?
It is a way everybody handling sensitive information can insure information security using the same framework, operating under the same rules. Hospitals, insurance companies, physician offices, pharmacies, and healthcare vendors will eventually find themselves questioned by someone about their handling of sensitive information. Hopefully those questioned will have the answers. Hopefully the questions aren’t coming to organization from the federal government after a data breach. With HITRUST practices in place, information is safe and everyone is held to the same standards and practices.
While only slowly being adopted nationwide currently, I believe that will quickly change. Organizations operating in healthcare simply have the need to exchange sensitive patient information with other organizations. Be it a hospital working with a lab, or a technology company supporting a clinic’s HER system. HITRUST will soon become the gold-standard of trust in healthcare compliance. Below are seven reasons why HITRUST is the security framework of the future, and why you might want to get onboard with it now:
- HITRUST offers covered entities a trusted benchmark from which they can measure and manage compliance controls
- Everybody plays by the same rules
- HITRUST creates an industry managed approach to meeting the requirements of multiple compliance measures intended to protect PHI
- Keeps private information private
- HITRUST will provide more comprehensive methods to assess, mitigate, and manage risk within standardization
- HITRUST offers standardized and actionable guidance to clarify requirements definitions that heretofore allow the entity to define for themselves (for example, what is “reasonable protection”?)
- Nothing lost in translation
- HITRUST is developed by healthcare and IT professionals that have a vested interested in maintaining the highest levels of healthcare information security, making it the first self-governing body of its kind in healthcare
- The people in charge know what they’re doing. Refreshing, isn’t it?
- HITRUST will weed out covered entities and vendors that skirt compliance requirements to just get by making the industry safer and more trusted when it comes to PHI, as the certification involves a significant financial and time investment
- No bad guys allowed
- HITRUST will likely be adopted as a requirement for any organization that deals with private health information, judging by current industry trends
- It’s the way of the future.
Simply stated, when it comes to sensitive information, you want HITRUST on your side. It’s okay; you can bandwagon.
To learn more about HITRUST, what it entails, and how it will affect your organization click here and stay informed. Interested in having your medical communications, healthcare information, and patient billing handled by a HITRUST certified organization? Learn more about MailMyStatements and see how their solutions can save you time and money.
Read more at https://mailmystatements.com/
Mr. Hugh Sullivan is considered an industry thought leader and has spoken on numerous occasions at local, regional and national healthcare forums. He is currently a member of the HFMA and ACA International and has served as a board member of WEDI, a nonprofit organization focused on the use of health IT to improve healthcare information exchange.
Hugh has a BS, in Logistics Systems Management, from Colorado Technical University. He enjoys being a husband and father to his wife and three boys as well as occasional round of golf.