Michelle: [00:00:00] Hi everyone. And welcome to cyBARR Chats: HITRUST Edition, a special series of cyBARR Chat that covers updates, trends, and everything you need to know related to HITRUST, featuring subject matter expert and senior consultant Swathi West. Let’s get started with some HITRUST basics. Swathi, who needs to be HITRUST certified?
Swathi: [00:00:23] I’ll try to keep it as simple as possible, Michelle. From most of our clients, HITRUST certification is triggered by their customers. For example, if you want to do business with covered entities like Anthem, Humana, or United Health Group, Any organizations like that, you need to get HITRUST certified, but we’re currently seeing this trend changing.
[00:00:44] If you think about HITRUST, it is a framework which is built on other standards and regulatory factors. So I would say in this day and age, HITRUST is a great framework to adapt and get certified. If you would like to comply with other regulatory factors like HIPAA, PCI, NIST, and et cetera, because of its prescriptive nature.
[00:01:03] It’s a great framework to adopt for any organization.
[00:01:08] Michelle: [00:01:08] So how long does it take to get HITRUST certified?
[00:01:11] Swathi: [00:01:11] This is a great question and quite common that we received this one from most of our clients. Every organization, every scope, and every engagement is different. All of these factors together would decide the time, but most important, the most important than the, our clients experience HITRUST, you know, their experience on HITRUST when they involve external assessors and the process will trigger this timeline. I can tell you one thing for sure that once an external assessor, you know, firms like us, like BARR start testing, we only have 90 days to test and submit to HITRUST. So currently QA is taking four to six weeks to complete its review. So from all of this, I would say it can take up to three to four months to complete the assessment and obtain certification once an organization is ready. I just wanted to reiterate that organizations should be ready because we have to do a self-assessment, we have to know what the gaps are. So if the organization has a little bit of knowledge, you know, have an assessor ready, I think I would say three to four months is what we’re looking for.
Michelle: [00:02:20] What are some key outcomes or benefits an organization can expect from getting HITRUST certified?
Swathi: [00:02:23] As we already covered a great benefit for any organization would be business because having HITRUST certification makes them stand out from the competition.
[00:02:35] And also it provides great trust with the stakeholders. And honestly it provides great security. Adopting a risk framework by itself in general, would greatly decrease the risk of data loss or breach and things like that. So I personally would say that, you know, having a great secure environment is a great benefit.
[00:02:54] And also my personal favorite is like what HITRUST is, you know, concentrating and doing more emphasis on ongoing improvement. So if you think about it, HITRUST, it is valid for two years, but we still do an interim assessment the second year, just to concentrate more on what are the corrective action plans or what are they doing to do better than whatever they had in the first year.
[00:03:18] So I would say ongoing improvement is something, you know, it’s definitely a great benefit.
[00:03:26] Michelle: [00:03:26] What would be your advice for someone who is looking into HITRUST certification?
[00:03:32] Swathi: [00:03:32] Great question. I would say HITRUSTAlliance.net is a great place to start. They have great publicly available downloads that you could use, and a lot of webinars that you can attend. And also they have trainings, which, you know, it’s, it’s open to public. If you want to be an assessor or even an organization to start learning what HITRUST is, they have trainings available. And also just, you know, trainings for QA review. You want to know what happens or what should a QA review look like when you’re submitting to HITRUST or just to learn how, in general, my CSF, they have great trainings that you can attend. I also wanted to emphasize contacting the assessor firms is really important in this process.
[00:04:14] So if you contact the assessor firms early on, even though organizations can do self-assessment by themselves, having an assessor would be a great start because we can help you in the right direction. We can ask you the right questions and it also helps to have that communication going for the validated because we already know the scope.
[00:04:36] You know, we know what the engagement is going to look like. So contacting the assessor firms is a great first step just to kind of, you know, get your word out there, talk to different people. So I would say that’s an important thing for anyone who’s starting into HITRUST. And also there’s this thing where, you know, most of the people just only look at the requirements statement.
[00:04:56] It can get really overwhelming once you see, “oh my, they’re 200 controls, 300 controls.” So I would say, just look at the illustrative procedures, right? Are all of these controls for policy process implementation or measure to manage because the illustrator procedures give you more of an idea about what the testing is going to look like or what HITRUST is looking for that specific requirement.
[00:05:18] So I would say that that’s a great tip if you want it to kind of start looking at your HITRUST, that’s a great place to start as well. And, you know, just keep in mind, before an external assessor starts testing, right before BARR starts testing, organizations, assessment, everything should be ready and should be implemented.
[00:05:36] And so just, keep that in mind, having that self-assessment is also important. Most of the clients don’t, you know, are in a place where they don’t know do I need to do it, or how important it is? I would say it is really important because just having that gap analysis and giving ample time to kind of understand what gaps we have, what it takes to remediate, and then doing a validated assessment is going to set up the client for success.
[00:06:03] Michelle: [00:06:03] Wonderful. Well, Swathi, thank you so much for your time today and addressing these frequently asked questions that we see. We are all looking forward to more HITRUST insights next time on cyBARR Chats: HITRUST Edition. Have a great day.
[00:06:18] Swathi: [00:06:18] Thank you, you too.