On June 29, 2015, the Health Information Trust Alliance (HITRUST) announced that several massive payer organizations, including Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group will require their business associates to obtain CSF certification. While this is old news, HITRUST assembled more than 350 business-associate attendees at the “Health Industry Third Party Assurance Summit: Driving Efficiencies and Compliance through the HITRUST Assurance Program” last Friday as a way for business associates to (1) better understand the reasons for the mandate, (2) understand the journey to CSF certification, (3) interact with CSF Assessor organizations (such as Coalfire), and (4) learn about current initiatives underway at HITRUST.
The summit commenced with HITRUST’s CEO Dan Nutkis’ introduction to HITRUST, as well as the executive spokespersons from each of the payer organizations in attendance. The payers commented on their rationale for sending out a combined 7,500 letters requiring their business associates and partners to become HITRUST CSF certified. As stated in the letters, “As a key vendor to the healthcare industry, you are keenly aware of the challenges industry organizations face to effectively manage risk and compliance for themselves and their business partners. The need to ensure the appropriate safeguarding of health information by business partners has always been a significant undertaking for both the organization requiring compliance by its business partners and the organization having to demonstrate compliance.”
While the audience seemed to understand the rationale for the requirement, many concerns were voiced by the business associates in attendance. One clear issue was audit fatigue, which refers to the expense, time, and effort required of organizations that have multiple assessment points (such as SOC 2 and CSF certification). In our opinion, the solution may be simpler and less costly than what might be expected. Since the CSF validation process is becoming the ‘de-facto’ standard in the healthcare industry, and given that the CSF maps to numerous other frameworks and regulations (e.g., PCI, SOC, HIPAA, ISO, NIST), assessor organizations with a methodology to support combined audits can significantly reduce the impact of multiple assessment points. This follows the “assess once, report many” philosophy. In Coalfire’s opinion, using the CSF and validation process should be the starting point since the framework was originally developed with the healthcare industry in mind. As a result, both HIPAA Security and Privacy Rule requirements are fully addressed, whereas other frameworks and regulatory requirements do not ensure full compliance with HIPAA nor would allow organizations to pass an OCR audit.
As with any new initiative, including CSF certification, it takes a while for organizations to understand what the ‘ask’ is, so that clear objectives, strategies, and budgeting can be formulated. This initial phase, referred to by Coalfire as the “discovery” phase, is where the majority of organizations that were at the Summit find themselves. While the CSF Assurance program has been in place since 2011, representatives from numerous organizations asked questions to better understand the process, costs, and protocols for navigating the CSF-validation journey. It’s for this reason that we’ve launched HITRUST CSF Discovery Workshops and supporting webinars as a way to educate organizations about the process.
While speaking on a panel at the conference, I stated that the road to CSF certification is different than any other type of assessment. It’s important to invest in the process, prepare for the journey, establish strong relationships with your assessor, educate your employees, and embrace strong communication methods. These attributes are so critical in fact, that Coalfire has dedicated countless hours to perfecting its PASS methodology as announced in a recent press release.
There’s no doubt that the Summit was a success. In our opinion, the success was measured by organizations receiving a better appreciation for the reasons behind the mandate, as well as a better understanding of the process. With 7,500 organizations in scope for the CSF certification process, it is expected that more educational forums will be initiated, both by HITRUST and Assessor firms like Coalfire. And don’t forget, the HITRUST 2016 annual conference will continue the momentum generated from last week’s Summit. In the meantime, let us know how we can assist with your own HITRUST CSF certification needs.