Majority of Healthcare Vendors Not Ready to Comply with the HITRUST Data Security Standard

The Department of Health and Human Services’ Office for Civil Rights has stepped up HIPAA enforcement activities in recent years and oversight of covered entities is improving.

One area of HIPAA-compliance that has come under increased scrutiny is the effort made by healthcare business associates to ensure protected health information is protected in accordance with HIPAA Rules.

Approximately 30% of healthcare data breaches reported to OCR involved a business associate according to a recent analysis conducted by Protenus. Given the number of breaches involving vendors, it is unsurprising that OCR is looking more closely at business associates.

The increased scrutiny has prompted many healthcare organizations to conduct a review of the measures employed by their vendors to ensure protected health information is appropriately secured and sufficient controls have been put in place to ensure ePHI remains private. Business associates now need to demonstrate they have implemented appropriate controls and are effectively managing cybersecurity risk.

Business associates can demonstrate sufficient controls have been put in place to keep ePHI protected by undergoing a HITRUST CSF examination or completing HITRUST CSF Certification.

HITRUST CSF is a privacy and security framework specifically developed for organizations that create, maintain, transmit or receive PHI. The framework allows organizations to assess the controls that have been put in place to keep PHI secure. If business associates meet HITRUST CSF requirements, it demonstrates to covered entities that security and privacy controls are of a sufficiently high standard.

However, a recent survey conducted by KPMG on 600 healthcare industry vendors during a recent webcast revealed that the majority of business associates are not ready to meet the demands of the HITRUST Healthcare Data Security Standard. Only 7% of surveyed organizations said they were ready to address HITRUST CSF requirements, while 8% said they were “well along with implementation.” 17.4% of surveyed organizations said the process of meeting the requirements had only just started.

The biggest barrier to meeting HITRUST CSF requirements was staffing issues which were reported by 15% of respondents, although 47% of respondents said they lacked staff with the necessary skills execute against the HITRUST CSF. Other barriers were cultural, technological, financial, and reconciling with past HITRUST regulations. 27% of respondents said that all of those barriers existed, while 23% said they didn’t believe there were any barriers that were preventing meeting HITRUST CSF requirements.

Even though meeting the requirements may be challenging, the benefits of HITRUST CSF were recognized. The main benefits were standardized reporting and being able to give assurances on data security standards, both of which were rated as key benefits by a quarter of respondents. Additional benefits were showing progress toward Health Insurance Portability and Accountability Act (HIPAA) compliance, the provision of a blueprint for assessing risks, and meeting contractual requirements.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.