In the past, healthcare organizations did not have a standard approach or processes to assess and then report their compliance to various security regulations to the array of business associates, vendors, and other seeking such assurances, says Dan Nutkis, CEO of HITRUST.
However, the new HITRUST CSF Assurance program provides tools--including questionnaires--to help healthcare organizations access and score their level of security compliance, and report the findings to business associates and other parties seeking the information.
In addition to the score cards, the Assurance program tools provide healthcare organizations with a vehicle to report corrective action plans and other details to help flesh out information about its security compliance, says Nutkis.
"The score cards provide a snapshot," of a healthcare organization's understood compliance with the HITRUST CSF, says Nutkis
HITRUST's CSF represents a comprehensive security framework of healthcare industry security regulations, including HIPAA and upcoming meaningful use requirements. HITRUST's CSF certification program was unveiled in September.
The new Assurance programs include two levels of assurance--CSF Validated or CSF Certified--based on the size, risk profile and reporting requirements of healthcare organizations.
HITRUST says both the CSF Validated and Certified programs leverage the same tools, processes and security requirements. However, here are the differences, according to HITRUST:
CSF Validated allows organizations to be measured and report their progress against the CSF, as well as providing valuable information such as standardized corrective action plans.
CSF Certified provides additional efficiencies by verifying that an organization has met all of the industry defined certification requirements of the CSF.
Both "reduce the complexity" in reporting compliance to business associates, said Nutkis.
In related developments, HITRUST's CSF is also gaining interest from states looking to standardize the security requirements for their health information exchanges, said Nutkis. So far, Tennessee is among states whose public-private health information exchanges are leaning to standardize its security requirements based on the CSF, said Nutkis.