New Privacy Controls Incorporated in HITRUST Common Security Framework

The Health Information Trust Alliance (HITRUST) has revealed that version seven of the HITRUST Common Security Framework (CSF) – due to be issed later this month – will include a number of new privacy controls.

HITRUST was set up in 2007 with the aim of helping the healthcare sector with the move over to electronic health information systems. The alliance has worked with the public and private sector to implement tools to help healthcare organizations protect electronic health information systems and secure the Protected Health Information (PHI) they contain.

Numerous programs have been supported over the period of the past 15 years, with the development of its Compliance Management Framework (CSF) the most publicly known. It has been adopted by over 84% of health plans and hospitals and is currently the most known used security framework in the United States healthcare sector

The HITRUST Privacy Working Group has been developing a number of new privacy controls for the last 18 months to help HIPAA-covered entities better structure their privacy and security programs. The HITRUST PWC made a number of approvals and the specific privacy control categories, objectives, specifications and requirements have now been included in the CSF.

Angela Holzworth, senior information risk analyst at HITRUST, stated “The new HITRUST CSF privacy domain facilitates an integrated approach to protect personal health information, aids in regulatory compliance, is consistent with healthcare industry trends, and enhances the current HITRUST CSF.”

“From the beginning, HITRUST has been committed to ensuring the CSF remains relevant and current to the needs of the healthcare industry and organizations utilizing it. Privacy was always seen as a component of a complete framework,”according to Daniel Nutkis, Chief Executive Officer of HITRUST. He added “Seven years ago when we began to create the CSF, we focused on the development and adoption of the security controls as a means to drive greater compliance by organizations with the HIPAA security requirements. Now that we have achieved broad adoption, we can join privacy controls with the framework.”

Michelle Nader, Staff Vice President (Ethics & Compliance) and CPO of Anthem, Inc., remarked by saying “By identifying the controls and requirements that support both disciplines, organizations now have the option to certify their programs for security, privacy, or both.”

HITRUST also announced that the seventh version of its CSF would also include Minimum Acceptable Risk Standards for Exchanges (MARS-E) and the organization would be publishing new guidance for cyber security. It has also improved its risk factors and assurance methodology and is now refreshing MyCSF to include the new privacy controls.