Healthcare Compliance Assessments

Currently, HITRUST is not a replacement for SOC 1 or SOC 2 examinations. HITRUST and the AICPA have recently released a mapping document that identifies the CSF controls that are mapped to SOC 2 Trust Services Principles for Security, Availability, Processing Integrity, and Confidentiality.

Privacy requirements are expected to be mapped sometime in 2016 after AICPA releases its new revision to the Trust Services Principles. According to HITRUST, the AICPA and HITRUST are working on a combined HITRUST CSF – AICPA SOC 2 reporting structure to support dual assessment and reporting. More information can be obtained from www.aicpa.org. A spreadsheet with the detailed SOC 2 to CSF mappings can also be found on the AICPA Website.

No. The reporting and notification requirements only apply when “unsecure” electronic protected health information (ePHI) is acquired by, accessed by, used by, or disclosed to unauthorized individuals. ePHI is considered unsecure if it has not been made unusable, unreadable, or indecipherable. Per the Department of Health & Human Services’ guidance (45 CFR 164.304 definition of encryption), securing ePHI (when data is at rest or in motion) can be accomplished through:

“The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key”

This is true on the condition that the confidential process or key, that might enable decryption, has not been breached. Valid encryption processes for data at rest and data in motion must comply with National Institute of Standards and Technology (NIST) standards.

Securing ePHI can also be done by properly clearing, purging, or destroying the media the data is stored or recorded on; specifically by rendering the data irretrievable or the media unreadable or unreconstructible.

The control maturity ratings are determined by ranking the compliance maturity of each of the 5 levels of a control:

1. Policy
2. Procedure
3. Implemented
4. Measured
5. Managed

A compliance maturity level of Non-Compliant, Somewhat Compliant, Partially Compliant, Mostly Compliant, or Fully Compliant is assigned to each level of the control then the overall maturity score is determined for the control.

More information on the HITRUST assessment model and scoring approach can be found on page 15 in HITRUST’s risk analysis guide.

Although organizations are expected to implement all 149 controls as specified by their risk factors, HITRUST certification is based on a third-party assessment of 64 high risk controls.

The high risk controls are determined by an analysis of past breach data while ensuring necessary coverage of the HIPAA Security Rule’s standards and implementation specifications. All third party assessments submitted via MyCSF is validated by HITRUST; however, organizations must achieve a 3+ maturity rating on the majority of the assessment domains to achieve certification. For a limited number of controls that are not operating at a 3+ level, you must create a corrective action plan (CAP). Organizations may also formally accept a very limited amount of risk and still achieve certification.

The HITRUST Validated report and HITRUST Certification both begin with an organization engaging a CSF Assessor firm to audit against the in-scope CSF controls for the system. Contained within the in-scope CSF controls, which are derived from the details entered in the risk based questionnaire section (Factors tab) of the myCSF tool, HITRUST has designated 64 specific controls that are required for HITRUST Certification which are covered under 19 different assessment domains . In order to obtain the HITRUST certification any control that scores less than a 3+ requires a corrective action plan.

Also all 19 assessment domains must have an average score of at least a 3 maturity rating in order for certification. Should any of those assessment domains have a score below a 3 maturity rating, a “validated report” would be issued. A validated report is essentially a noncompliant report which can show clients that the organization is working through the HITRUST process and may only have one or two areas of noncompliance. If all 19 assessment domains have the necessary maturity rating of 3 or higher a “certified report” would be issued by HITRUST which would make the organization HITRUST certified.