What is HITRUST?

If you’re already well versed in healthcare IT, then you’re probably familiar with HITRUST. But in case you need a reminder, the Health Information Trust Alliance, or HITRUST is…

…a company that works in collaboration with healthcare, technology and information security leaders, to establish a Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data. The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards.

Think of HITRUST as HIPAA on steroids. It’s the gold standard when it comes to patient privacy and data security for the healthcare market. And because it’s such a leader in the space, it’s important to stay on top of the latest HITRUST development.

In this article, we’ve rounded up three new developments out of HITRUST in the last few months that have significant implications for healthcare IT software development and delivery. Keep reading to learn more:

Standardizing Security for Global Markets

Last year, the EU General Data Protection Regulation (GDPR) went into effect. As we’ve written about previously, this law has enormous implications for the healthcare industry in terms of patient privacy and data security. In recognition of the changes that GDPR is bringing to bear in the healthcare industry, HITRUST recently announced it will expand its framework to include both the GDPR and also the Singapore Personal Data Protection Act (PDPA) requirements – pulling them into what HITRUST describes as a global ‘one framework, one assessment’ model.

“Businesses leveraging the HITRUST Approach will be able to leverage a single HITRUST CSF Assessment to report their security, privacy and compliance posture to various audiences globally.”

According to Bryan Cline, vice president of standards and analysis at HITRUST

In the near future, obtaining HITRUST CSF will allow companies to streamline their compliance approach. This means that, rather than having to determine compliance region by region, they’ll be able to demonstrate that they meet HIPAA, GDPR, PDPA, and other international patient security provisions and regulations through one, overarching assessment. As a result, HITRUST expects its certified organizations will experience fewer compliance costs and legal challenges on the whole.

Standards to Manage Healthcare Supply Chain Risk

Standard Certification

Assessing the security and regulatory compliance of third-party vendors has long been a challenge for healthcare organizations. Today, it is even more so as hospitals and healthcare organizations increasingly make the transition to cloud IT infrastructure. It’s such a problem that the newly formed Provider Third Party Risk Management Council – comprised of healthcare chief information security officers (CISOs) – is pushing the industry to adopt a standardized approach to manage third-party vendor risk. Its solution? HITRUST’s CSF Certification. The council has worked with HITRUST to develop a standard robust enough that CISOs are willing to rely solely upon it to qualify vendors – eliminating the need for additional vetting and smoothing the way for IT vendors to more easily and cost-effectively demonstrate data privacy and security compliance.

Standard Assessment

In tandem with this work, last month HITRUST launched its third-party assurance (TPA) risk triage methodology. This tool gives healthcare organizations a standardized way to determine the type and rigor of security and privacy controls required from their IT partners. Organizations can then better assess their current/future partners, and ensure that they have adequate levels of due care and diligence for the protection of sensitive information and patient privacy in place (depending on the requirements outlined in HITRUST’s methodology). The methodology even has a risk-scoring model to help identify areas of risk and offer specific recommendations for the “type and rigor of the assessment and the maturity of the organization’s information protection.”

You can read more about the Provider Third Party Risk Management Council’s standardizations efforts here. Or click here to read more about HITRUST’s risk triage methodology.

Helping Startups Get HITRUST Certified

It’s not news that obtaining HITRUST certification can be an arduous process for IT vendors. In fact, this process can be a barrier to entry for resource-constrained start-ups new to the healthcare industry. That’s why HITRUST recently launched a security program to help start-up companies bolster their privacy and security foundations, including the adoption of the most comprehensive risk management, compliance and security services. By helping these companies bake security best practices into their offerings from the beginning, HITRUST is helping new, innovative solutions meet the security requirements necessary for widespread adoption in the healthcare market. Learn more about this program here.

If your organization is in the process of developing an IT solution for the healthcare market or looking to modernize an existing healthcare application, and you want more information about HITRUST enablement, let’s connect. We have a long history of developing custom software solutions for the healthcare market, partnering with HIPAA and HITRUST certified cloud partners and helping our clients put the right security measures in place to obtain HITRUST certification.


Jamie Murphy blog author Dev IQ

Jamie Murphy

Marketing Strategist, busy mama, & blogger extraordinaire