HITRUST Adds Privacy Controls to FrameworkAim Is to Simplify Risk Compliance Efforts
Healthcare organizations looking for help building an integrated approach to privacy and security compliance will soon have a new tool available.
The Health Information Trust Alliance is adding privacy controls to the latest version of its Common Security Framework, slated to be released Jan. 31.
In addition to the new privacy controls for HIPAA compliance, version 7 of HITRUST's framework also will incorporate Minimum Acceptable Risk Standards for Exchanges, the security requirements for health insurance exchanges under the Affordable Care Act. The updated framework also will feature additional guidance for cybersecurity and enhancements to risk factor and assurance methodology.
Health Sector Framework
HITRUST, an industry consortium launched in 2007, designed the framework to be used by any organization that creates, accesses, stores or exchange personal health and financial information. It offers guidance on compliance with the HIPAA privacy and security rules, as well as other standards, including the National Institute for Standards and Technology's SP 800-53 r3 recommendations on security controls.
As for the privacy controls being added, "there are approximately 100 discrete changes to content along with all the associated mappings to the HIPAA Privacy Rule and NIST SP 800-53 r4 Appendix J," a HITRUST spokeswoman explains.
The framework is available free to HITRUST members. Annual subscriptions to HITRUST start at $7,500, the spokeswoman says. The subscription includes a portal that allows members to monitor compliance throughout the year. Organizations can get certified for compliance with the framework through a process that involves self-evaluation, third-party assessment, remediation if necessary, and review by HITRUST.
HITRUST says in a statement that its privacy working group developed the privacy controls over the last 18 months with the goal of producing "better alignment between healthcare organizations' security and privacy programs and allowing for an integrated approach for protecting health information under HIPAA." After conducting a review of various privacy frameworks, standards and regulations, the working group recommended the inclusion in the framework of specific privacy control categories, objectives, specifications and requirements.
"Over the past few years, we have seen an integration of privacy with security," says Phil Curran, chief information assurance and privacy officer at Cooper University Health Care in Camden, N.J. "As with security controls, there are multiple sources for privacy controls. Consolidating the privacy controls into one document and combining those controls with the CSF domains will allow organizations to centrally manage all the controls required for compliance," says Curran, a member of the HITRUST working group that developed the controls.
"The new document makes my job as both information assurance and privacy officer much easier as I no longer have to refer to multiple documents," he says.
Privacy and security controls are both essential components to any comprehensive data protection program, says Caroline Lavelle Budde, chief privacy officer of retail drug store chain Walgreen Co. "The addition of privacy controls to the CSF framework will allow organizations to maximize resources with a consistent approach to data protection and regulatory compliance," she says.
Security expert Tom Walsh, president of Tom Walsh Consulting, is hopeful that integrating privacy controls into HITRUST's security framework will prove helpful for many health entities.
"Having a common governance framework for covered entities to follow for both security and privacy removes a lot of the guesswork out of compliance," he says. "HITRUST goes beyond HIPAA and also incorporates compliance with the Payment Card Industry Data Security Standard."
One drawback, however, is that using the framework may be too expensive for many smaller healthcare entities, Walsh contends.
But Walsh notes that healthcare organizations can take advantage of other free resources to help with their compliance efforts.
Those include, for example, the Department of Health and Human Services Office for Civil Rights' HIPAA Audit Program Protocol, he says. The HIPAA audit protocol, unveiled by OCR in June 2012, will be updated soon as the agency begins a new round of HIPAA compliance audits this year that will also include business associates, as well as covered entities.
Walsh also notes that NIST offers a detailed cybersecurity framework, as well as the Special Publications 800 Series offering risk management guidance available.
In a recent blog offering tips for healthcare entities implementing a risk management framework, Christopher Paidhrin, security administration and integrity manager in the compliance division of PeaceHealth, a healthcare delivery system in the Pacific Northwest, says that "the rapid rise of cyberattacks on healthcare organizations necessitates the use of a cyber-centric framework."