What is HITRUST?
HITRUST (Healthcare Risk Management System) is a collaboration of technology and health information security companies in Frisco, Texas. The collaboration was initiated in 2021 and initially focused on reducing out-of-pocket expenses for healthcare providers who want to reduce fraud and increase accountability. Currently, HITRUST has been incorporated into several enterprise software packages. In addition, several consumer and third-party applications have also been developed to integrate with HITRUST. According to estimates, there are more than two million claims filed through the system every year.
HITRUST is an integrated framework of systems and procedures designed to detect, report and manage health care risks. According to an independent study by McKinsey & Company, a health information security risk management system should integrate “all areas of the company’s activities”. Forcing vendors to integrate all aspects of the organization may not be feasible and could divert resources to areas that yield better returns. In addition to pushing for more control through the adoption of a uniform framework, the HITRUST developers also claim that it is important for vendors to integrate directly with the framework. In essence, an information security vendor will need to be connected to the hitrust application.
Development of the Hitrust
The development of the hitrust application has been driven by several factors. According to estimates, about half of the overall claims filed through HETPs (Healthcare Environmental Enterprises) are self-referred, meaning that the individuals filing claims do not understand the complete scope of their coverage. On the other hand, there are some third-party vendors that use hitrust certification as a sales tool to boost business. This practice can become dangerous because individuals seeking benefits may not have a clear understanding of how benefits are calculated or the process of choosing a plan.
The HITRUST application was created to improve the quality of care and shorten the certification process for many healthcare entities. According to the web site, once the HITRUST Security Management System is implemented, operators will only have to complete two steps: (a) identify the vendors who will provide the application software and (b) submit an application. This does away with the need for vendors to find and hire individuals with the proper security controls knowledge and experience to ensure that vendors can get certified. According to the HITRUST Web site, vendors who become certified on this program are identified on the list offered by the Health Insurance Portability and Accountability Act (HIPAA).
For organizations and vendors alike, compliance with HIPAA regulations is crucial for reducing costs and ensuring quality care. This is why hitrust certification plays an important role in helping organizations meet their obligations and continue to remain competitive in the marketplace. Because the HITRUST Common Security Framework provides a uniform set of rules and standards for all healthcare organizations and suppliers to follow, organizations will be able to identify vendors who have a good track record for developing and maintaining security controls. This will help reduce risks and provide better control over the operational processes and activities related to clinical documentation.
Built-in self-assessment capability
The HITRUST software will include a built-in self-assessment capability that will perform a complete review of an organization’s health care system. The self-assessment will generate an evaluation report that will identify areas of weaknesses and suggest ways to strengthen the organization’s security controls. To help organizations develop a stronger defense against unauthorized access, the self-assessment report will include recommendations on the design of the enterprise security plan (ESSP), personnel training, and the implementation of measures to protect against external threats. In addition to recommending corrective actions, the self-assessment will also provide recommendations for improving the organization’s communication and security functions and practices.
HITRUST Certification is achieved by the examination of an entire enterprise system, or of one or more isolated components. According to the website, the exams are designed to test the readiness of the enterprise controls to perform their assigned functions and to demonstrate the organization’s ability to handle and protect the most important information in the most secure way. As part of the assessment, each system must be evaluated in four different areas: application control, access and mobility, internal controls, and information assurance. The exams cover these four topics in order to test the organization’s ability to protect its most sensitive information and prevent hacking. The exams measure the following areas:
With the complete assessment, an independent C SF assessment team will determine if the application control, mobility, and information assurance sections of the enterprise system need improvement. If these sections are found to be deficient, the assessment team will recommend appropriate modifications. In order to achieve this certification, the organization must pass all three exams. As part of the requirements, the application security control and mobility requirements must be properly implemented in the enterprise system at the time of the certification.