The Schellman Blog

Though considered somewhat abbreviated in comparison to HITRUST’s other certification options, the HITRUST e1 Certification still represents a potentially beneficial path, particularly for those organizations that have already established their compliance programs.

Service providers—e.g., SaaS, IaaS, PaaS—are currently seeing significant growth in the healthcare vertical, where they’re classified as “business associates” to the healthcare providers, insurers, and clearinghouses that are collectively referred to as “covered entities.” (Note that subcontractors to business associates are also classified as business associates.)

Ernest Hemingway once said, “the best way to find out if you can trust somebody is to trust them.”

Choosing your doctor is a big decision, right? You want someone licensed, with a medical degree, that can interpret your reported symptoms and treat you accordingly to your desired result—to feel better. It’s a personal relationship, so you likely research their practice, make sure they can accommodate your conditions, and check reviews on their bedside manner. Your doctor’s job is so important to your health, vetting them like this and feeling comfortable is important. The same is true for your HITRUST external assessor.

While the latest version of any product is often seen as the greatest, there is more nuance involved when trying to determine which version of the HITRUST CSF® framework to utilize for certification. Currently, users can choose from versions 9.1, 9.2, 9.3, and 9.4. With the impending release of HITRUST CSF v10p (preview) in mid-May 2021, and a full release of v10 scheduled for later in the year, it adds more questions about whether to make the jump to 10 right away, if you have to make the jump to 10, and when will you be required to make the jump to version 10; all of which we’ll tackle.

During SOC 1 Type 2 examinations, which analyze both the design and operating effectiveness of your controls, deviations from the stated control process must be disclosed within the service auditor’s testing results, often referred to as testing “exceptions” or “deviations” as they are exceptions from the stated control activity. The identification of at least one testing exception is a common occurrence, whether it is due to an outage, failure to document a manual process, or a simple oversight. There are a few questions, however, that you can ask both your auditors and yourselves to help manage the exceptions.

The Health Insurance Portability and Accountability Act (HIPAA) has been gaining a lot of traction recently based on the omnibus final rule that was published in 2013 and the increased scrutiny brought on by recent healthcare data breaches. The omnibus final rule includes modifications mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which establishes the concept that business associates must comply with HIPAA regulations, as well as the covered entities that were already required to comply with the regulations. The HITECH Act also brought the breach notification and privacy responsibilities of covered entities and business associates to the forefront as well.