HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HITRUST Common Security Framework to Include New Privacy Controls

This week, the Health Information Trust Alliance (HITRUST) announced that version seven of the HITRUST Common Security Framework (CSF) – due to be released later this month – will incorporate a number of new privacy controls.

HITRUST was formed in 2007 with the aim of assisting the healthcare industry with the move over to electronic health information systems. The alliance has worked with the public and private sector to develop tools to assist healthcare organizations protect electronic health information systems and safeguard the Protected Health Information (PHI) they contain.

Numerous programs have been supported over the course of the past 15 years, with the development of its Compliance Management Framework (CSF) the most widely known. It has been adopted by over 84% of health plans and hospitals and is currently the most widely used security framework in the United States healthcare industry.

The HITRUST Privacy Working Group has been working on a number of new privacy controls for the last 18 months to help HIPAA-covered entities better organize their privacy and security programs. The HITRUST PWC made a number of recommendations and the specific privacy control categories, objectives, specifications and requirements have now been incorporated into the CSF.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Angela Holzworth, senior information risk analyst at HITRUST, said “The new HITRUST CSF privacy domain facilitates an integrated approach to protect personal health information, aids in regulatory compliance, is consistent with healthcare industry trends, and enhances the current HITRUST CSF.”

“From the beginning, HITRUST has been committed to ensuring the CSF remains relevant and current to the needs of the healthcare industry and organizations utilizing it. Privacy was always seen as a component of a complete framework,” said Daniel Nutkis, Chief Executive Officer of HITRUST. He went on to say “Seven years ago when we began to create the CSF, we focused on the development and adoption of the security controls as a means to drive greater compliance by organizations with the HIPAA security requirements. Now that we have achieved broad adoption, we can join privacy controls with the framework.”

Michelle Nader, Staff Vice President (Ethics & Compliance) and CPO of Anthem, Inc., said “By identifying the controls and requirements that support both disciplines, organizations now have the option to certify their programs for security, privacy, or both.”

HITRUST also confirmed that the seventh version of its CSF would also incorporate Minimum Acceptable Risk Standards for Exchanges (MARS-E) and the organization would be issuing new guidance for cyber security. It has also enhanced its risk factors and assurance methodology and is now updating MyCSF to incorporate the new privacy controls.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.