In this episode of Ask the Experts, PCI Group Information Security and Compliance Officer Serena Robinson answered, “What is HITRUST?” It’s a question that many ask. It’s specific to the healthcare industry, and many more of our clients in that vertical require it.
HITRUST, an acronym for Health Information Trust Alliance, certification is a validation that a company has specific technical controls in place regarding security. Achieving HITRUST certification, as we have, verifies that a company is meeting the standards of HIPAA regulations.
In one framework, HITRUST standardizes security and privacy provisions into one.
Serena explained, “HITRUST is a higher standard of HIPAA compliance because it defines governance and directives to meet beyond the language in HIPAA. It goes through all three core controls—physical, administrative, and technical—and breaks them down into how you deal with employees, encryption, and access to information.”
Serena noted that HITRUST is heavily reliant on documentation of policies and procedures. Still, it requires more than this to meet the standards. “You actually have to implement them; otherwise, it’s just a piece of paper. Every person must be following them on a daily basis.”
For organizations seeking to obtain certification, Serena said, “If you don’t have documentation, start there. Then focus on meeting the standards.”
For healthcare organizations, working with partners with HITRUST certification provides them additional confidence and peace of mind regarding the security of transactional mail.
