In 2018, we witnessed over $28 million in HIPAA OCR settlements. HIPAA compliance in 2019 is at least a seven-figure risk to covered entities and business associates. The HIPAA settlements, fines, and Corrective Action Plans (CAP) from 2018 resolution agreements provide a clear directive to the healthcare industry, including business associates – establish a credible, evidence-based HIPAA compliance program. HIPAA compliance risk is a business risk. Does your organization have a credible HIPAA compliance program? What does compliance with HIPAA require? How does an organization establish a credible HIPAA compliance program? How is senior leadership assured the organization has an enterprise-wide HIPAA compliance program that continually addresses HIPAA mandates? This is where the HITRUST CSF standard and the associated certification, is one that organizations must review closely to ensure their HIPAA compliance program is credible.
Why the HITRUST CSF for HIPAA Compliance?
The HITRUST CSF provides a comprehensive, scalable, and a technology-neutral framework to address HIPAA mandates. It is a formal and formidable framework that addresses privacy and security regulatory requirements. We know compliance with HIPAA requires an organization to address the following on a continual basis:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HITECH Breach Notification
The HITRUST CSF enables an organization, be it a covered entity or a business associate, to formally address these HIPAA mandates. With the application of the HITRUST CSF, an organization knows the exact gaps to address to help ensure credible HIPAA compliance.
Establish HITRUST CSF certification as a strategic goal that must be met. With HITRUST CSF certification, an organization also accomplishes the requirements for NIST CSF certification.
HIPAA Safeguards Map to HITRUST CSF Control Categories/
The pillars of HIPAA compliance are based on defined safeguards (e.g. Administrative, Physical, Technical and others), as well as Standards and Implementation Specifications. The HITRUST CSF is architected on the ISO/IEC 27001:2005 control clauses. All HIPAA requirements are mapped by the HITRUST CSF to Control Categories. The HITRUST CSF is comprised of:
- 14 Security Control Categories
- 49 Control Objectives
- 156 Control Specifications
The first step in the journey for HITRUST CSF certification is to acquire the knowledge about this important and credible standard. Get started and leverage the HITRUST CSF standard to establish a credible HIPAA compliance program. For a free white paper on HITRUST Certification = Credible HIPAA Compliance, and to schedule a complimentary private Webinar on this topic, contact Ali.Pabrai@ecfirst.com.
Date: April 16, 2019