Audit and Assurance

Expand all | Collapse all

Healthcare Payer/Provider firms: HITRUST Cert. Questions

  • 1.  Healthcare Payer/Provider firms: HITRUST Cert. Questions

    Posted 26 Nov, 2019 22:56
    Hello All:
    I am looking for some advice from firms who are either in the Healthcare Provider or Payer space/vertical.

    1. Do you, as a Healthcare Provider firm (e.g. hospitals) or Payer firm (e.g. Health insurance firms) require HITRUST certification for your suppliers? 
      • I have heard yes, no, may be...and everything in between 
    2. If a consulting firm were to provide data analytics for you as a Provider firm or Payer firm, and the consulting firm was HITRUST certified, would you allow the consulting firm to host/work with your ePHI data in their environments (private cloud and public cloud)? 
    3. If yes, do you require any geographical restrictions? (e.g. all data must be stored in the US only...or EY only)

    Any advice would be greatly appreciated!


  • 2.  RE: Healthcare Payer/Provider firms: HITRUST Cert. Questions

    Posted 29 Nov, 2019 02:34
    Can members involved in Healthcare please help Nick with this one?

    ------------------------------
    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist
    ------------------------------



  • 3.  RE: Healthcare Payer/Provider firms: HITRUST Cert. Questions

    Posted 29 Dec, 2019 20:32
    I have experience in this area, but am not exclusively  related to a provider/payer. Some of my thoughts below from an assessor's perspective:

    Do you, as a Healthcare Provider firm (e.g. hospitals) or Payer firm (e.g. Health insurance firms) require HITRUST certification for your suppliers? 
    • I have heard yes, no, may be...and everything in between 
    Most of my clients are doing HITRUST as a service provider because a payer firm is requiring it. I have no data to support, but would guess that most providers are still trying to figure HITRUST out and if they are requiring their suppliers to be HITRUST certified are most likely not practicing what they preach.

    If a consulting firm were to provide data analytics for you as a Provider firm or Payer firm, and the consulting firm was HITRUST certified, would you allow the consulting firm to host/work with your ePHI data in their environments (private cloud and public cloud)?

    Depends on your vendor risk management program. If you see HITRUST as a reputable way to attest to security AND their report covers the scope of services provided you are probably in a good place.

    If yes, do you require any geographical restrictions? (e.g. all data must be stored in the US only...or EY only)

    If you're using a HITRUST certification for this entity be extra careful to ensure the certification includes the international instances in-scope.

    ------------------------------
    Kyle Miller
    Manager
    ------------------------------



  • 4.  RE: Healthcare Payer/Provider firms: HITRUST Cert. Questions

    Posted 24 Jan, 2020 15:37
    Not in healthcare field, but I have participated in some recent contract language negotiations with prospective health insurance providers. We generally request a SOC 2 Type 2, HITRUST CSF, or a similar independent security audit report and we've gotten responses like:

    * SOC 2 audits are not applicable to healthcare businesses  (not true)
    * SOC 2 audits are not standard or typically done by healthcare businesses   (probably true at present)
    * Our security organization has certified that we are in compliance with HIPAA  (not really good enough)
    * We don't do HITRUST audits on an annual basis, but we require our subproviders to certify annually  (a start in the right direction)

    Our preferred stance is that data must be stored in the US only, subproviders are certified annually, and the health insurance provider should also have annual security certifications. But these are emerging controls, and the reality is that many companies are not yet at that level of maturity. We're doing our part to encourage it.

    Randy Anderson

    ------------------------------
    Randy Anderson
    Director, IT Process and Planning
    ------------------------------