Back to Resources | Expert Interviews

cyBARR Chat: HITRUST Edition Episode 7: Experience the MyCSF Compliance and Reporting Pack for HIPAA

November 12, 2021 | HITRUST



[00:00:00] Claire McKenna: Hello everyone. And welcome to episode seven of cyBARR Chats. HITRUST edition. Today we’re taking a look at the, MyCSF compliance and reporting pack for HIPAA and discussing how you can best streamline HIPAA compliance in your organization with HITRUST manager, spotty west. So let’s jump right in.
So I think to get started, can you tell us a little bit about why it’s important to use strategic tools for HIPAA?
[00:00:24] Swathi West: It is important to use strategic tools like the hydro CSF framework or the HITRUST Mesias platform and the hydro CSF assessments for hiccup HIPAA compliance, because they work together harmoniously to support organizations in their efforts to achieve, maintain, and also provide assurances surrounding HIPAA compliance.
You know, what the regulations constantly evolving. Threat landscape changing organizations must continuously work one step ahead and by using HITRUST integrated approach to information, risk management and compliance organizations can achieve their security and privacy goals also, including HIPAA compliance regulations.
So it’s very important to use strategic tools like hydro CSF framework or the platform to achieve HIPAA.
[00:01:16] Claire McKenna: Got it. And so what is the new, MyCSF compliance and reporting pack for HIPAA feature. And how does it enhance the use of the MyCSF tool?
[00:01:26] Swathi West: And the HITRUST MyCSF, the compliance and reporting pack for HIPAA collect specific information during the high-trust CSF assessment process that is needed to comply with HIPAA.
So we’re already having the hydro CSF assessment. Our clients would go through that assessment already. But this compliance pack reporting pack for HIPAA would just collect the information that’s needed for HIPAA, which is already there. We already provide you have evidences, but by doing that, we’re able to generate a report formatted by HIPAA controls that maps the applicable HIPAA requirements to our clients.
Hydro CSF assessment. This also helps us by providing only the evidence that the OCR is requesting and also mapping each requirement to the corresponding policies and evidences to submit to OCR. So this just makes it easier and like a one-stop shop where. You go, you have everything that’s required for HIPAA, and you can report it back to OCR.
And this is good because you know, we already are doing the work and we already providing the evidences. But by this, we’re having this process more streamlined and there’s like a one stop shop where you can go and look at your HIPAA evidences and hip-hop.
[00:02:43] Claire McKenna: Got it definitely sounds like it makes things easier. Why else should organizations utilize the, MyCSF compliance and reporting pack to streamline compliance
[00:02:52] Swathi West: organizations can use the, MyCSF compliance reporting pack to streamline HIPAA compliance because it’s safe. Countless hours and gathering information and preparing reports associated with an OCR audit.
Because like I said, we already have the information we already provided by using this back. It’s just saves a lot of time because you bill, it takes the information that we already provided to give the HIPAA compliance back. And you know, this helps by. You know, we can rely on HITRUST CSF, and also this can help support HIPAA compliance effort.
And this is this compliance pack is also a mechanism to quickly and easily self report against any HIPPA compliance. You know, anything that that knows Yara is requesting all the information. You can just go to this pack and you can provide to OCR. And also this is a very helpful resource during any interactions with like internal or external stakeholders.
When they’re inquiring about HIPAA compliance, you can just use this reporting pack to provide them with information. It’s not just HITRUST MyCSF now. And it also gives more information on your HIPAA and where you’re at with HIPAA compliance. So it really helps with your communications with their state.
[00:04:09] Claire McKenna: Got it. And one of the benefits of MyCSF compliance and reporting pack is what HITRUST calls reliability. Can you tell us what that is and why it’s so important?
[00:04:20] Swathi West: Great question. They always talk about real reliability in regards to their hydro CSF assessments in general, because it is a great standard for information assurance reports.
You know, it, it’s commonly used by organizations that need to comply with HIPAA or, you know, Any other compliance that’s out in the world. And it helps to successfully used to demonstrate, uh, in any compliance audits in this case for HIPAA, with OCR audits. And it also provides many advantages over other assessment, reports that out in the world because it offers that reliability and.
It’s just a little bit better than any other report because you know, you can rely on it. It’s just simple as it is because you know, this compliance and reporting prac provides that reliability by providing transparency, scalability, consistency, accuracy, and integrity, and efficiency. If you think about it, you know, like I said, it’s like a one-stop shop for HIPAA.
It’s, everything’s mapped to HIPAA’s. It’s just easy and it’s scalable and it’s more accurate. You know, trying to figure out what those are auditing you are not trying to gather everything. It’s just, it’s there for you. And you’re working. It’s a con uh, continuous monitoring is in place. So it’s very efficient in that.
And it integrates other work which you’re already doing. So I would say that’s another, that’s the biggest reason why it’s very, it’s a reliable, because it’s, you know, we can rely on this by doing MyCSF assessment. It also helps with your HIPAA audit.
[00:05:54] Claire McKenna: Got it. And why is the HITRUST? MyCSF compliance and reporting pack for HIPAA. The best approach for the office for civil rights or OCR audits initiating a HIPAA compliance audit, right?
[00:06:05] Swathi West: The office of civil rights. The OCR will notify a covered entity in writing. Usually by mail or email, this OCR letter would introduce the audit team, explain the audit process, discuss what they’re expecting, and also ask for any evidences to provide any documentation for all the questions.
So, you know, if the covered entity. After getting all of this information, they’re like, there’ll be able to submit documentation. If they can submit a documentation with a very strong written narrative response for all their questions, OCR investigators at their discretion may, you know, may think like there’s no further action is required, right?
I mean, they’re asking you to provide all this and you were like giving a very good answer in general. They’re like, oh, you know, they probably have everything in place and we don’t have to do it. Any further audit by, you know, for that to provide that a good narrative or a good response. It, you never know because you never know when they’re asking you don’t have everything in place.
You don’t have documentation. You, you started collecting, but by using the mice yes, of compliance reporting pack for HIPAA, we can gather the documentation that’s needed and to provide a compliant. For them, like we can provide an assurance that, you know, we’re compliant. We have all the documentation. And also in addition to that, for organizations with the hydro CEUs of certification, HITRUST also offers a free regulatory assistance center.
So you can always like ask them if you have any questions or even they’ll help you through a HIPAA. So there’s so much that you can do and you know, that would help our covered entities when they do get into these questions or, uh, get a mail from OCR. The HIPAA compliance back will really help them to gather the documentation.
[00:08:00] Claire McKenna: Got it. That is definitely great information. I have one last question for you today. So how does the, MyCSF version 9.50, update incorporate modifications to support the introduction of this tool? The, MyCSF compliance and reporting pack for her.
[00:08:18] Swathi West: As part of, you know, ha Hydro’s continuous commitment to improve their products and services. I’ve just always, you know, we’ll come up with some kind of future. But I personally like the, MyCSF compliance reporting pack for HIPAA. This is not being done for any other versions before 9.5. So for 9.3 or 9.4, we do have some organizations that were working today. Um, asking for us like, Hey, can we get compliance back, but we’re still a 9.3 or 9.4, but we can’t, you have to be 9.5 to get my CEUs of a compliance back.
But you know, our suggestion is more like, Hey, next year, when you do an interim or validation again, we can just use the 9.5 because it’s a great feature. And we want all our organizations I’m working with to have it, but this compliance pack for. Point five. The best benefit is because it streamlines how organizations capture and present HIPAA to, you know, for their compliance evidence.
Like I said, it’s just a one stop shop. You have everything related to HIPAA in one place, and it’s easy to collect evidence, easy to provide evidence. And it just saves so many hours just by, you know, collecting and documenting, preparing. Um, if you have an OCR audit and you have this, MyCSF compliance pack, it just saves you so much time.
So. This kind of changed the trajectory a little bit after version 9.5, because it’s easy for HIPAA audits, easy for HIPAA compliance. But like I said, for today, it’s only with 9.5. If you’re a 9.4 9.3, anything prior, you don’t have the pack, but if you are 9.5, you, you can have the HIPAA compliance back.
[00:10:00] Claire McKenna: Got it. Well, Swathi, thank you so much for all of your insight. And we look forward to seeing everyone next time on cyBARR chats, HITRUST edition.
[00:10:09] Swathi West: Thank you.