A solution for HITRUST transmission protection – Control 9.11

Featured image

Share this article

A Solution for HITRUST Transmission Protection - Control 09.11 - Paubox

Last week we flew to Tampa to attend our first HITRUST Community Extension Program (CEP) event. It was sponsored by 360 Advanced and hosted at Microsoft’s office.

Towards the end of the program, I discussed an idea about creating content around specific HITRUST controls that Paubox directly addresses. In other words, the goal would be to make it easier to find solutions that can help organizations achieve HITRUST CSF compliance. The idea was greeted with approval.

This post is aimed to help organizations going through HITRUST certification find solutions that can help them achieve CSF Compliance for specific controls.

HITRUST Transmission Protection: Control 9.11

As of version 9.2 of the HITRUST CSF, here is the language for Control 9.11 (Transmission Protection):

“The organization does not send PII/PHI over facsimile (FAX), unless it cannot be sent over other, more secure channels (e.g., delivery by hand, secure email).”

I can distinctly recall this control, as we blogged about it during our HITRUST CSF Gap Analysis.

Illustrative Procedure for Policy

Within each HITRUST control, there’s a section called “Illustrative Procedure for Policy.” Its purpose is to help organizations understand the spirit of the control.

We referred to them quite often when we were going through our HITRUST journey.

Here’s the Illustrative Procedure for Policy for Control 9.11 (Transmission Protection):


“Examine policies and/or standards related to the use of fax communications and determine if the organization does not send PII/PHI over facsimile (FAX), unless it cannot be sent over other, more secure, channels (e.g., delivery by hand, secure email).

If no written policy or standard exists, interview control owner(s) responsible for, key staff involved in/with, and/or other relevant stakeholders impacted by the policy/control requirement(s) and determine if the requirement(s) is/are understood. Evidence of ad hoc or informal policy may also be provided by observing individuals, systems and/or processes associated with responsibilities for the use of fax communications to determine if the policy requirements are generally understood and implemented consistently. Review any written procedure(s) or examine documentation associated with formal or ad hoc processes to determine if the requirement(s) is/are addressed consistently by the entity.”


Given our stance towards faxing (we recently held a wake for the fax machine), we were encouraged by HITRUST’s posture on the matter.

How we satisfied Control 9.11 (Transmission Protection)

HITRUST RightStart: Configuration Management - Paubox

To address and satisfy Control 9.11, we solved it by doing two things:

  1. We created a written policy around the use of fax machines (we don’t allow their use)
  2. Instead of using a fax machine, we created another written policy that stated we are to use our own Encrypted Email solution instead.

Conclusion

By creating written policies around fax usage and coupling it with our own use of Paubox Email Suite, we were able to satisfy Control 9.11 (Transmission Protection) of the HITRUST CSF certification.

We hope this post helps others on their HITRUST journey.

Try Paubox for free today

About HITRUST

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.

In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022