Ask A-LIGN’s Experienced Assessors: HITRUST
Because of the unique challenges facing the healthcare industry, companies are considering their options to mitigate and manage their risk. HITRUST offers a framework that allows for consistent implementation of the HIPAA requirements, but generates many questions that need to be answered. Below are a few frequently asked questions that A-LIGN Partner, Gene Geiger, answers as he speaks with companies seeking HITRUST certification, including your firm’s options for HITRUST Certification.
What are my options to become HITRUST Certified? Are there any other options?
To become certified against the HITRUST Common Security Framework (CSF) you must undergo a validated assessment by a HITRUST Assessor Firm, and submit that assessment results using the MyCSF tool to the HITRUST Alliance for review and final Certification. The HITRUST Alliance will evaluate the submission and the scores received during the assessment to issue a certified report based on the scoring of your company. You can find out more about scoring here. You may also undergo a self-assessment using the MyCSF tool or perform a SOC 2 + HITRUST CSF audit. The SOC 2 + HITRUST CSF audit is an assessment performed by a CPA firm who is also a HITRUST Assessor Firm. The Self-Assessment and the SOC 2 + HITRUST do not enable a company to become HITRUST Certified, but they do offer an option to demonstrate compliance against the HITRSUT CSF.
Do I have to purchase the MyCSF tool from the HITRUST Alliance to become HITRUST Certified? Can I purchase that from you?
To become HITRUST Certified you must purchase and use a MyCSF subscription through the HITRUST Alliance. You cannot purchase the subscription though A-LIGN or other assessor firm.
I’m a small to medium sized business; how am I expected to pass the same certification and meet the same controls of these large corporations? Are there any ways to reduce the cost of certification for a company of my size?
The HITRUST CSF was designed for organization of all sizes. Compliance of each control is scored evenly and is either Non-Compliant (0), Somewhat Compliant (25), Partially Compliant (50), Mostly Compliant (75), or Fully Compliance (100). However, the HITRUST controls are assessed using a weighted scoring system. The scoring for the system follows a concept of “one can’t manage what one can’t measure” and its risk-based approach directly applies to small or medium sized organizations.
How do I know if I will pass the test and receive certification from the HITRUST Alliance? What happens if I fail?
Your team and the assessor firm will know if a control has met the passing score for certification. The MyCSF tool is scoring you as your assessor is evaluating each control throughout the process. You will know if you have received a passing score prior to the submission of A-LIGN’s assessment to HITRUST. If you did submit prior to meeting a 3 out of 5, the passing score for certification, you would still receive a validated HITRUST assessment report, however you would not receive a certification from the HITRUST Alliance. If you do not reach certification as part of the first submission, you may be able to resubmit.
Will this assessment meet my requirements for my HIPAA compliance? What about my PCI-DSS Certification and NIST 800.53 compliance?
While HIPAA compliance is still a priority in healthcare, the HITRUST CSF can be used to translate HIPAA and HITECH requirements into a step-by-step compliance roadmap. HITRUST was built upon the ISO 27001 framework using controls from HIPAA, NIST 800.53, PCI-DSS, various state requirements (Nevada, Massachusetts, and Texas), and COBIT. Because of the variety of standards that are cross-referenced with HITRUST, your organization is able to mitigate risk more broadly than solely meeting HIPAA compliance requirements. Although you are able to assess and audit yourself against various audit and security standards under the HITRUST CSF Certification, you will not receive additional certifications from PCI, ISO 27001, or NIST 800-53.
Still looking for additional information on HITRUST? Check out our HITRUST resources:
- The Challenges Facing Healthcare & How HITRUST Can Help
- Understanding the HITRUST Specification and Scoring
- HITRUST Assessment Types & HITRUST Integration with SOC 2
- An Overview of the HITRUST CSF and Related Frameworks
- HITRUST Assessment Scoping Guidelines