Michelle: [00:00:00] Hi everyone, and welcome to our second episode of cyBARR Chats: HITRUST Edition, where we’ll discuss a variety of HITRUST topics like the cost of getting HITRUST certified, the difference between HIPAA and HITRUST, readiness assessments, and more. So, let’s get started with our Q&A with senior consultant, Swathi West.
Michelle: [00:00:21] Swathi, what are the costs associated with getting HITRUST certified?
Swathi: [00:00:26] Great question, Michelle. A few essential things to consider are the cost of the readiness assessment. A readiness assessment is not required for HITRUST certification, but if the organization prefers to assess where they’re at with HITRUST, there are costs associated with that, and some of the applications would be separate. We also have excellent assessor fees, which depend on the assessment scope. This varies by your organization. It can be a number of control systems, or even regulatory factors can play an important role here. So, costs are definitely tailored to each organization and discussing with external assessor organization firms, like BARR and HITRUST, would be really helpful. And it’s also important to consider the number of hours the organization has to work and, you know, budget, financial planning, walkthroughs, and even time to provide evidence for external organizations, and HITRUST is an important thing to consider as well.
[00:01:21] Michelle: [00:01:21] And how important is it to do a readiness assessment and what’s BARR’s approach?
[00:01:25] Swathi: [00:01:25] As I already mentioned, a readiness assessment is not required for HITRUST certification, but it is really helpful in preparing and practice certification. If the organizations want to do a readiness assessment, the earlier the assessor firms are involved, the better the outcome would be for the certification. If you think about it, the implemented systems should be implemented and should be in place for 90 days. So, the sooner we know the gaps, the sooner we can remediate, to have a successful certification. BARR can help clients with scope discussions, make sure anything that has to be implemented is properly implemented and understand the gaps, identify what kind of evidence HITRUST is looking for in a specific requirement and help the clients throughout the certification process.
[00:02:12] Michelle: [00:02:12] And could you talk a little bit about how HIPAA and HITRUST are related?
[00:02:17] Swathi: [00:02:17] This is another common question. HIPAA and HITRUST are not the same, but HITRUST is built upon HIPAA and many other regulatory standards. HIPAA is a set of standards that healthcare organizations should follow to be HIPAA compliant, but does not provide any certification. On the other hand, HITRUST provides a prescriptive set of controls that would meet HIPAA requirements and also provide certification rather than thinking which one is better, it’s good to think which would add more value and trust. Our blog has more information on this topic. So if anyone’s interested, please give it a read.
[00:02:53] Michelle: [00:02:53] And could you also talk a little bit about interim assessments and how would the access differ for MyCSF subscribers and non-subscribers?
[00:03:03] Swathi: [00:03:03] As I mentioned in our previous chat HITRUST is all about continuous improvement. Even though HITRUST is valid for two years, organizations still have to perform an assessment a year after the initial HITRUST validated assessment. You know, something to also keep in mind earlier in the CFS of journey is CSF subscribers can begin the assessment process 120 days before the submission date by manually creating the object. But, for non-subscribers the access would only last for 60 days and they will be required to reconstruct the assessment scores and comments for NAS from the previous year. So this is something to consider when you think about if you want to be a CSF subscriber or not.
[00:03:47] Michelle: [00:03:47] Well, thank you. Swathi. We are looking forward to our next HITRUST edition of cyBARR chats, where we’ll discuss the important conversations to have with your external assessors, HITRUST plus SOC 2, and more.
[00:03:59] See everyone next time. Have a great day.
[00:04:01] Swathi: [00:04:01] Thank you.