HITRUST plans Health Security Framework
A group of over 60 voting companies in the health care industry have come together to create a set of security & privacy best practices that will go above and beyond those laid out in the 
Health Insurance Portability and Accountability Act (HIPAA). The new consortium that will create these best practices is called the Health Information Trust Alliance (HITRUST).
The HIPAA standards are aimed to protect the privacy of personal health information by giving patients more control over their information and setting boundaries on the use and release of health records. HIPAA requires that companies adopt privacy procedures and to ensure they’re followed, but many in the health care industry feel that more can be done to secure the privacy of patient information.
According to a survey HITRUST commissioned earlier this year, 96% of health information technology executives think it’s important to have a uniform way to verify the security of sensitive healthcare information. 85% of those surveyed think the health industry should pull together to create the comprehensive framework, which is exactly what HITRUST is now doing.
The new consortium, HITRUST, aims to develop a Common Security Framework (CSF) - a set of tools to aid organizations in protec
ting information and managing the risks, costs and complexities in managing these assets. They have published an overview of the framework and its components here [PDF].
The issues surrounding the protection of health information are complex and diverse but critical to the broad adoption, utilization of and confidence in health information systems, medical technologies and electronic exchanges.
Standardizing a higher level of information security will build greater trust and efficiencies in the electronic flow of information through the healthcare system and will instill confidence within regulators, business partners and consumers.
The document outlines challenges faced in protecting electronic health information including: risk and liability from data breaches, confusion about implementation and baseline security controls, complexities involved with inconsistent standards and varying interpretations, and outside scrutiny from regulators, auditors, partners and customers.
The HITRUST CSF is aimed to help organizations that create, store, access or exchange electronic health information. The CSF framework includes three parts: an Information Security Implementation Manual, a Standards and Regulations Cross-Reference Matrix and a Readiness Assessment Toolkit. You can view a sample of the Security Implementation Manual, one part of CSF, here [PDF]. The CSF is expected to be released January 2009.
Via information week Tags: hitrust, hipaa, health information, health industry, health privacy, healthcare, private information, csf, common security framework, security framework, data security
2 Comments on “HITRUST plans Health Security Framework”
August 27th, 2008 at 9:35 am
Excellent info! Thanks for the alert on this one. I guess the question is why this group felt compelled to create an entirely new consortium rather than simply work with HIPAA’s representatives to present add-on regulations for HIPAA. Seems to me that the web of compliance regulations is already pretty thick.
September 7th, 2008 at 10:49 pm
HiTrust (the Health Information Trust Alliance) has launched with great fanfare. Its mission is to “a common security framework for use by all parties that create, access, store or exchange personal health information. A health care vertical specific initiative around establishing and collaborating on information security best practices.