When your business model requires collection and use of highly sensitive patient information, you need proof that the information and systems are secure. Learn how one provider of telehealth and virtual care management services is assessing and reporting on information security.
Client: National provider of remote in-home monitoring and virtual care management

Company size: 125 employees; $5 million annual revenues

Challenge: The company needed a means of proving to clients and other stakeholders that protected health information (PHI) is secure.

Solution: HITRUST independent third-party assessment followed by HITRUST CSF Certification

Results: An efficient and cost-effective HITRUST assessment; a better understanding of the data the company maintains and the systems that collect and process it, as well as the associated risks and effectiveness of controls that mitigate those risks.
An insurance company that represents one of the healthcare company’s largest contracts instituted a requirement for its business associates to become HITRUST certified.

Given that the services this company provides require it to access and process sensitive patient data, it needed a report that would give all of its constituents comfort that the data and IT systems are protected.

Before going down the path of completing the rigorous and time-intensive HITRUST assessment and certification, the company’s leaders wanted to look at all possible assurance reporting options. They considered the AICPA’s Service Organization Controls (SOC) reports and HIPAA assessments, as well as HITRUST. They ultimately decided that HITRUST was the best fit. The extensive and granular HITRUST Common Security Framework combined with independent testing by a qualified CSF Assessor provided the rigorous validation of controls that this company’s stakeholders were looking for.

Next, the company’s leaders needed to find a HITRUST CSF Assessor that would complete the assessment within a tight deadline (less than three months) while making the process as painless as possible for the healthcare company’s staff. Since HITRUST Certification involves interim reporting as well as biannual recertification, they needed a stable firm that would be around for the long term.

Through the HITRUST Alliance website, the leaders investigated all the CSF Assessors in their region. They chose CRI because the firm has the experience, expertise, and resources to get the job done on time and on budget.

When the healthcare company CEO met with members of the CRI IT Audit and Assurance team, he was impressed with their experience and knowledge of HITRUST assessments. Nearly two-thirds of the IT assurance team members, including the partner in charge of the practice, have earned the Certified CSF Practitioner.

CRI started the company’s HITRUST assessment in late November, with just three months until the insurance company’s stated deadline to achieve certification. HITRUST assessments typically last six to 12 months, but in this case, CRI was able to fast-track the process and submit the company’s assessment within the agreed-upon time and budget.

To achieve this accelerated timeline, CRI and the company established clear milestones, held weekly status, and made interim calls when issues arose.

The firm also was able to streamline the amount of internal time required of the healthcare company. Due to the firm’s extensive experience performing not only HITRUST assessments but also HIPAA assessments, SOC reporting, and other IT assurance services, CRI was able to help the company avoid road hazards that can trip up other healthcare companies.

For example, the CRI team coached the company’s team members on the idiosyncrasies of the MyCSF tool that they must use to submit documentation and test evidence for HITRUST certification. Submitting incorrect or incomplete documentation can cause HITRUST to “kick back” the assessment, which can seriously delay the process.

The most important outcome is that the company now has a certification that demonstrates to stakeholders that its IT controls effectively mitigate the risks associated with the company’s services and the sensitive data that it collects, uses, and processes.
CRI can help your company identify the right IT assurance reporting for your situation – whether it is HITRUST, a HIPAA Assessment, SOC reporting, or another type of report.
HITRUST is rapidly gaining acceptance as one of the premiere ways to certify that PHI is properly protected.

To get the most out of your investment in a HITRUST assessment, ask your CSF Assessor the following:
  • What is your process for performing the assessment?

  • What will be the level of internal effort required with this process?

  • What is your track record with completing HITRUST assessments on budget and on time? (Be sure to ask for references.)