HITRUST adds privacy controls to framework


The Health Information Trust Alliance (HITRUST) has added privacy controls to version seven of the HITRUST Common Security Framework (CSF) being released later this month.

This addition creates a fully integrated privacy and security framework that meets the regulatory requirements of the US healthcare industry. Organizations can now rely on a single framework to manage their information privacy and security risk and compliance.

Developed over the last 18 months by the HITRUST privacy working group, the privacy controls produce better alignment between healthcare organizations' security and privacy programs and allow for an integrated approach for protecting health information under HIPAA.

After conducting a review of various privacy frameworks, standards and regulations, the working group recommended the inclusion of specific privacy control categories, objectives, specifications and requirements by implementation level.

In addition, this release of the HITRUST CSF incorporates the Minimum Acceptable Risk Standards for Exchanges (MARS-E), additional guidance for cyber security, and enhancements to risk factors and assurance methodology.

“The new HITRUST CSF privacy domain facilitates an integrated approach to protect personal health information, aids in regulatory compliance, is consistent with healthcare industry trends, and enhances the current HITRUST CSF,” said Angela Holzworth, senior information risk analyst, Highmark Health and HITRUST privacy working group chair.  “I am proud of the deliverable we have developed and thankful for the opportunity to work with a wonderful and talented group of people.”

Michelle Nader, staff vice president, ethics & compliance and chief privacy officer, Anthem, added: “Given the multitude of federal and state regulations incorporating privacy and security requirements, a fully integrated privacy and security framework provides privacy and security professionals advantages over disparate approaches, allowing the organizations to effectively manage their information protection program.

“By identifying the controls and requirements that support both disciplines, organizations now have the option to certify their programs for security, privacy, or both,” Nader concluded.

HITRUST, CSF, US, HIPAA, Angela Holzworth, Michelle Nader