Preparing IT for a HITRUST Audit

Manufacturer turns to Primitive Logic for help protecting sensitive healthcare data

As awareness of the need to protect personal data grows, more companies in the healthcare industry are requiring partners to be HITRUST certified, and our client recognized that certification could become a requirement for future partnerships as well.

Overview

When a wellness product manufacturer received requests from healthcare providers to become HITRUST CSF certified as a condition of future business, they contacted Primitive Logic.

What Is HITRUST?

HITRUST (Health Information Trust Alliance) is a not-for-profit organization dedicated to helping organizations protect sensitive healthcare information and manage risk throughout their supply chains. The organization created and maintains the Common Security Framework (CSF), a certifiable framework that encompasses HIPAA, PCI, ISO, NIST, and other regulations, including some that are unique to HITRUST.

The Challenge

Our client receives recurring orders for their wellness products from numerous healthcare providers, some of whom made HITRUST certification a condition of their partnership agreement. Failure to become certified would have cut off our client’s present and future revenue streams from these companies. As awareness of the need to protect personal data grows, more companies in the healthcare industry are requiring partners to be HITRUST certified, and our client recognized that certification could become a requirement for future partnerships as well.

Our client had a six-month window to become certified — not enough time for their internal resources to get up to speed on all HITRUST requirements, build a readiness strategy, and implement controls.

Why They Chose Primitive Logic

The client had partnered with Primitive Logic for a previous project, and they were familiar with our expertise in data privacy as well as our successful track record in writing effective and easy-to-follow policies. They were also familiar with our deep experience helping clients prepare for HIPAA, GDPR, and other regulations, which was a key factor in choosing us for this project.

The Results

Primitive Logic worked closely with our client to analyze HITRUST requirements that impact their IT operations. For each requirement, our team reviewed the company’s existing documentation (standard operating procedures, manuals, job guides, etc.) to assess how they addressed the issue and whether they satisfied the HITRUST control. For procedures that fell short of compliance, we performed a gap analysis and created tasks for meeting the standard.

In addressing requirements for which there was no existing documentation, the team met with the appropriate subject matter experts (SMEs) to write new procedures from scratch. Working with the SMEs’ input, we wrote basic procedures based on the requirement and submitted them to the security and HITRUST audit teams for a basic review. If the basic procedure was approved, the team moved on to writing the more extensive and detailed procedures that HITRUST requires. After writing the detailed procedures, the team collected articles of evidence (including sample tickets, configuration screenshots, and audit logs) and operations documents from the SMEs to support each HITRUST requirement. We completed this effort through close partnership with process owners by conducting detailed elicitation sessions.

Several of the requirements involved intensive collaboration to design and gain agreement on a workable procedure to meet the standard. For example, HITRUST requires that, if a user logs in to an application that grants access to personal health data, he or she must be automatically logged out after 30 minutes of inactivity. Our client uses single sign-on, so all user logins and logouts for all applications go through a single portal. The team worked with the IT department to devise a solution that meets the requirement without logging users out of every application after 30 minutes of inactivity in a single app.

We worked with our client to meet all HITRUST IT requirements on schedule. The organization has completed a self-audit, which they submitted to the HITRUST board for evaluation. They are confident that they will pass the evaluation and receive their certification, thus fulfilling their business partners’ requests and clearing the path for future partnerships.

We Can Help

Let the Primitive Logic team help you achieve mindful digital transformation.

Contact Us