Information security is a concern across industries and healthcare is no exception. To address this issue, in 2007 the healthcare sector launched a nonprofit organization called the Health Information Trust Alliance or HITRUST.
The HITRUST Common Security Framework (“CSF”) offers healthcare organizations a set of controls that meet a variety of regulatory requirements and international standards. In addition, HITRUST’s Third Party Assurance program, in conjunction with HITRUST CSF Assurance programs, can streamline the third-party risk management process.
Although attaining HITRUST certification is a large-scale project that touches on many areas of the organization, the benefits outweigh the costs. HITRUST certification has become the gold standard for healthcare information security because it demonstrates that organizations are committed to protecting sensitive data with protocols that harmonize security and privacy standards. In June 2015, several major healthcare organizations—including Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group—announced that they will require business associates to obtain a HITRUST CSF certification within 24 months. The 7,500 companies that do business with these major payers have until June 2017 to attain this goal.
The HITRUST Business Associate Council
As HITRUST programs gain wider acceptance, business associates naturally have concerns about healthcare data security issues as well as questions about the HITRUST Third Party Assurance program. In response, HITRUST has created the HITRUST Business Associate Council or BA Council. Here is some background on the group and the benefits it provides:
- The BA Council offers a forum for healthcare business associates and vendors to collaborate and discuss third-party healthcare data security issues. It also enables members to engage directly with HITRUST on topics related to the HITRUST Third Party Assurance program.
- HITRUST has named 17 founding members of the BA Council that represent a cross-section of technology vendors that work with the healthcare and public health sectors. They also represent security, risk, compliance, and audit executives. Organizations currently on the BA Council include Arvato Digital Services, Armor, Availity, Azure (Microsoft), Catalyze, Change Healthcare, Cognizant, Dropbox, Epic Systems Corporation, Fiserv, Healthedge, HMS, PDHI, RR Donnelley, Salesforce, West Corporation, and Xerox Corporation.
- The BA Council had its first meeting in April at the HITRUST 2016 Annual Conference. There will be three additional BA Council meetings in 2016.
Companies that are healthcare business associates will certainly want to keep abreast of the BA Council’s discussions and proceedings. At the same time, organizations should start making plans to obtain a HITRUST certification. Failure to obtain a certification by 2017 could result in lost business for companies that work with the largest healthcare payers.
It’s also important to remember that, in order to obtain a HITRUST certification, it’s necessary to hire a HITRUST-approved CSF Assessor to perform the independent validation. For more information on HITRUST certification, contact a Schellman & Company HITRUST expert.