HITRUST Common Security Framework to Include New Privacy Controls

Share this article on:

This week, the Health Information Trust Alliance (HITRUST) announced that version seven of the HITRUST Common Security Framework (CSF) – due to be released later this month – will incorporate a number of new privacy controls.

HITRUST was formed in 2007 with the aim of assisting the healthcare industry with the move over to electronic health information systems. The alliance has worked with the public and private sector to develop tools to assist healthcare organizations protect electronic health information systems and safeguard the Protected Health Information (PHI) they contain.

Numerous programs have been supported over the course of the past 15 years, with the development of its Compliance Management Framework (CSF) the most widely known. It has been adopted by over 84% of health plans and hospitals and is currently the most widely used security framework in the United States healthcare industry.

The HITRUST Privacy Working Group has been working on a number of new privacy controls for the last 18 months to help HIPAA-covered entities better organize their privacy and security programs. The HITRUST PWC made a number of recommendations and the specific privacy control categories, objectives, specifications and requirements have now been incorporated into the CSF.

Angela Holzworth, senior information risk analyst at HITRUST, said “The new HITRUST CSF privacy domain facilitates an integrated approach to protect personal health information, aids in regulatory compliance, is consistent with healthcare industry trends, and enhances the current HITRUST CSF.”

“From the beginning, HITRUST has been committed to ensuring the CSF remains relevant and current to the needs of the healthcare industry and organizations utilizing it. Privacy was always seen as a component of a complete framework,” said Daniel Nutkis, Chief Executive Officer of HITRUST. He went on to say “Seven years ago when we began to create the CSF, we focused on the development and adoption of the security controls as a means to drive greater compliance by organizations with the HIPAA security requirements. Now that we have achieved broad adoption, we can join privacy controls with the framework.”

Michelle Nader, Staff Vice President (Ethics & Compliance) and CPO of Anthem, Inc., said “By identifying the controls and requirements that support both disciplines, organizations now have the option to certify their programs for security, privacy, or both.”

HITRUST also confirmed that the seventh version of its CSF would also incorporate Minimum Acceptable Risk Standards for Exchanges (MARS-E) and the organization would be issuing new guidance for cyber security. It has also enhanced its risk factors and assurance methodology and is now updating MyCSF to incorporate the new privacy controls.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On