As more healthcare organizations look to move their protected health information (PHI) out of internal data centers to a cloud computing vendor, one of their priorities is ensuring that provider’s technology meets the standards of the Health Insurance Portability and Accountability Act (HIPAA). Essentially, HIPAA compliance is table stakes to even be considered.
When selecting a HIPAA-compliant vendor, the challenge often lies in deciphering hype from reality. For example, many cloud computing vendors that tout their HIPAA compliance really only meet the minimum standards so they can check that box. Others merely include do-it-yourself tools with their offerings, leaving your organization exposed while continuing to place the burden of HIPAA compliance on your internal IT department.
The risks of not enabling the highest, most reliable level of HIPAA compliance are huge. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has received more than 95,000 complaints related to HIPAA violations since 2003. These privacy violations have resulted in almost 2,500 corrective actions for hospitals, physician practices, outpatient facilities, health plans and pharmacies. That was for data that was under their control.
Sending data to an outside company means you are trusting your organization’s future, and risk management, to the integrity of that provider’s systems. That’s why you want to be sure the cloud computing vendor you’re working with has achieved Common Security Framework (CSF) Certified status from the Health Information Trust Alliance (HITRUST), a collaboration between healthcare, business, technology and information security leaders.
HITRUST CSF Provides Clear Industry Benchmarks
HITRUST CSF is an information security framework specific to healthcare that incorporates international, federal, state and third-party regulations and standards to establish an encompassing, first-class standard for security, privacy and compliance. It provides a clear and measurable benchmark for identifying hosting/cloud computing vendors that meet the highest standards in HIPAA compliance, reducing your risk to the lowest possible level.
The comprehensive list of standards and regulations assimilated into the certification include those from HIPAA, HITECH, PCDI-DSS, ISO 27001, COBIT, NIST and FTC as well as state laws. Rather than being concerned about whether their third-party partners have met the many standards individually, HITRUST CSF certification ensures that the partner is in compliance with all of them while eliminating the variability in the definition of acceptable security requirements.
To achieve HITRUST CSF certification, an organization must:
- Successfully demonstrate meeting all controls in the CSF required for the current year’s certification at the appropriate level required for the organization based on its responses to the MyCSF self-assessment tool requirements statements, as evaluated by a third-party assessor
- Achieve a rating of 3 or higher on HITRUST’s scale of 1 to 5 for each control domain documented in MyCSF
By being CSF Certified, an organization is communicating to its business partners and other third-party entities (e.g., state or federal agencies) that sensitive information protection is both a necessity and priority, essential security controls are in place, and management is committed to information security.