Headed to RSA in San Francisco? May 6-9 | Join us!

Reduce Audit Time and Penalties with HITRUST CSF v9.5

Did you know HITRUST v9.5 can help reduce OCR audit time and minimize penalties?  Learn more from A-LIGN’s Healthcare and Financial Services Knowledge Leader, Blaise Wabo, on why you should select v9.5 when pursuing a HITRUST certification.

Since 2007, the HITRUST CSF has been recognized as a well-rounded and certifiable security framework for organizations of all sizes and industries. With the new CSF v9.5 update, HITRUST continues to demonstrate its value for any organization by offering a reformatted report that stakeholders can leverage during an Office of Civil Rights (OCR) audit, following a cybersecurity event or data breach.

Let’s look closer at the cause for the new report, what HITRUST v9.5 includes, and how this update will benefit your organization.

The Beginning: The HIPAA Safe Harbor Bill

The HIPAA Safe Harbor Bill was signed into law on January 5, 2021, by former President Trump. This law amends the HITECH Act so that the Department of Health and Human Services (HHS) and the OCR must recognize and encourage security best practices for HIPAA compliance.  Specifically, HIPAA Safe Harbor reduces financial penalties and the length of compliance inspections for covered entities and business associates that can prove they’ve had “recognized security practices” in place for at least one year.

The HIPAA Safe Harbor bill changed the cybersecurity industry in a big way.  If your organization processes Protected Health Information (PHI), Electronic Protected Health Information (ePHI), or Personally Identifiable Information (PII), you could be the target of a cybersecurity breach and therefore, an OCR audit.  If this situation occurs, the HIPAA Safe Harbor bill covers you and acts as a layer of security for your organization if you have a cybersecurity program in place.

HITRUST CSF is one reliable way to achieve HIPAA compliance. In fact, it is the only way to become officially certified in HIPAA compliance. For this reason, the HITRUST CSF is often utilized, and sometimes required, by organizations in the healthcare industry.

What is the HITRUST CSF?

The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001NIST 800-171HIPAAPCI DSSGDPR, and more into one comprehensive system, the HITRUST CSF streamlines the audit process by assessing once and reporting against multiple framework requirements.

Thanks to its ability to combine several assessments and requirements into one framework, the HITRUST CSF allows clients to decide what they want to test against and to evaluate the controls based on that level of risk. This “assess once, report many” approach means that assessors are performing several different audits, but the organization feels like they’re only undergoing one. Because of this benefit and its exhaustive focus on security, the HITRUST CSF has been adopted by organizations across different industries.

What’s new in HITRUST v9.5?

When the HITRUST approach is fully implemented and HITRUST CSF Certification is achieved, this ensures covered entities and business associates are able to meet the compliance requirements of the HIPAA Security and Breach Rule.

With the release of HITRUST v9.5, a reformatted report will be generated during an OCR audit that is part of the MyCSF Compliance and Reporting Pack for HIPAA.  According to HITRUST, this new report:

  • Is formatted by HIPAA controls and maps the applicable HIPAA requirements to your HITRUST CSF Assessment
  • Provides the ability to select only the regulation subparts that the OCR requests in the event of an audit
  • Maps each requirement to your corresponding policies and evidence for submission to the OCR

What Does HITRUST v9.5 Mean for Your Organization?

The new MyCSF Compliance and Reporting Pack for HIPAA enable organizations to more quickly and seamlessly submit and present compliance evidence.  If you already hold a HITRUST v9.3 or v9.4 certification, HITRUST will be unable to create an OCR package upon an audit.  In order to better safeguard your organization, you will need to resubmit your assessment for HITRUST v9.5.

If your organization handles PHI, ePHI or PII data, there are two main reasons you may be selected to undergo an OCR audit.  The first is based purely on the number of records that you own and that may have been compromised due to a security breach.  The second reason you may be selected is based on how you responded immediately following the breach.  There are defined laws in place regarding the aftermath of a security breach and the order in which you need to notify all parties:

  1. Notify affected individuals
  2. Notify the Secretary of Health and Human Services (HHS)
  3. Alert the media (in certain circumstances)
  4. Notify covered entities if occurred at or by a business associate

The A-LIGN Difference

We encourage all covered entities and business associates pursuing a HITRUST assessment that may be subject to an OCR audit to select version HITRUST v9.5.

A-LIGN’s experience and commitment to quality has helped more than 300 clients successfully achieve HITRUST certification. Our diligent audit process helps you prepare for the HITRUST assessment, and our team of HITRUST experts is here to answer any questions you might have through every step of the assessment.

Download our HITRUST checklist now!