How to Take Advantage of the HITRUST Shared Responsibility and Inheritance Program
by Chloe Bowen
Because of the sensitive nature of medical care, the healthcare industry faces unique security challenges. The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, is U.S. legislation created to improve health coverage standards and combat fraud and abuse related to protected health information (PHI).
HITRUST® was created to help mitigate and manage risk for covered entities and their business associates. It establishes the HITRUST CSF® framework that allows for the consistent implementation of HIPAA requirements.
In 2019 Paubox achieved HITRUST CSF Certification to manage risk and improve its security posture. This certification applies to Paubox Email Suite Standard, Plus, and Premium, Paubox Email API, and Paubox Marketing.
What is the HITRUST Shared Responsibility and Inheritance Program?
The HITRUST Shared Responsibility and Inheritance Program is intended to simplify leveraging service provider security controls for a HITRUST CSF Assessment.
Assessment scores of any cloud hosting or service provider participating in the HITRUST Shared Responsibility and Inheritance Program can be applied to any other organization’s assessment.
In other words, a company can leverage a vendor’s assessment scores when conducting its own HITRUST CSF Assessment, thereby inheriting a vendor’s controls and applying them to its own assessments easily, saving time and resources.
This simplifies and streamlines the assessment process.
Benefits of the program
Key benefits of the HITRUST Shared Responsibility and Inheritance Program include:
- An indication that a vendor has a strong focus on security
- Less required testing
- Inheriting control requirement scores
- Less data entry for applications already hosted on a HITRUST CSF certified environment
By seamlessly lifting and applying assessment scores to other assessments across the board, organizations can reduce the time, effort and associated costs required for testing inherited controls.
How the program works
Participating service providers appear in the official list of organizations that have a HITRUST CSF Validated Assessment. A client indicates which specific control requirement it will inherit and chooses its hosting or service provider from the list.
The system validates the relationship by requesting verification from the vendor to confirm the services provided.
In order to participate in the program, a vendor must have:
- MyCSF Subscription
- Inheritance Module Subscription
- Current HITRUST CSF Validated Assessment in good standing
For more information about the HITRUST Shared Responsibility and Inheritance Program, contact HITRUST at 855.HITRUST or email firstname.lastname@example.org.