I first took the HITRUST Assessor course in 2009 and was disappointed. Roughly, the aim of HITRUST then, as it is now, is to allow all players in the health care ecosystem (providers, payors, suppliers and others) to adopt a single security framework, and then deliver attendant certifications to demonstrate that their security programs or selected IT systems are secure. In short, a hospital, for example, would conduct a HITRUST assessment to demonstrate to anyone (Govt. and private entities) that their overall security program has a requisite level of maturity. Only one report could be created and submitted to many who needed to verify the security maturity of an organization. (Note: CPA firms offer similar attestations such as the SOC Type 1 and Type 2 assessments, under AICPA guidance for service providers.)
Why, how, and when to conduct an information security risk analysis
An article in HCCA Compliance Today
Under the Health Insurance Portability and Accountability Act (HIPAA), all electronic protected health information (e-PHI) created, received, maintained, or transmit- ted by a “covered entity” is subject to the Security Rule. If we assume that information technology powers modern health care, then it stores or disseminates most everything an entity might know about a patient. Thus, e-PHI security and privacy is fundamental and paramount.