A Uniform Approach to Sharing Assurances and Other Certifications
Paddy Padmanabhan: Michael, a question for you, does HITRUST certification mean that you’re HIPAA compliant?
Michael Parisi: Great, great question. Well, let’s start with HIPAA certifications, right? I know we’re all laughing because there are still so many organizations that say that they’re quote, unquote, certified.
For most of us, we know that there is no such thing, right. And there are many standards like that where there’s no actual certification that exists. Um, so what we strive to do is to certify the implementation of controls that help meet the requirements of authoritative sources, one of which being HIPAA. Right. So it is the closest thing that you’ll find to a HIPAA quote-unquote, certification.
However, there is no HIPAA certification. And it really needs to be focused on how do you ensure you’ve implemented appropriate controls, arts, etc, to address the requirements that HIPAA does dictate? Now, in addition to that, you know, it’s interesting, because I know Brian was mentioning a few things as well. And, and so was how, or when you look at a number of other programs that have recently been rolled out, or enhanced, like cmmc, nine is a good example, from a DVD perspective, I think all industries are moving down this direction of some type of quote, unquote, certification.
Or to probably put it more accurately, as Howard indicated, as some type of independent level of validation. Because the number of business relationships that we are dependent upon as organizations is only increasing, it’s only going to continue to increase. What I like to call the daisy chain of third parties or business partners is also increasing. So there’s no more just one layer of a third party, right, or a direct vendor that we’re working with, with the onset of the cloud and a number of other organizations. In order to get a true picture in terms of what’s going on, we’re probably looking to three, maybe even four levels down the line, understand everywhere that our data is.
Padmanabhan: So HITRUST, certification is some kind of proxy, at least in part for complying with HIPAA. Is that is that the bottom line?
Parisi: Yeah, that’s the bottom line. And if you look at the most recent release that HHS and OCR put out, actually December at the end of last year, for the first time ever, they’ve indicated a level of the safe harbor, right. And that level of the safe harbor is driven off of having effective information security and privacy program actually implemented. And the key to that is also maintaining that program, the right to make sure that it remains relevant, etc.
So what we’ve done to work with the HHS and OCR for so many years is to align the requirements and capabilities of our program to that statement that was released. And we already have some examples even in q1 of this year of organizations that have effectively use their high trust efforts in support of the safe harbor components that were released at the end of last year.
Watch every minute of this session here.
Learn more about Paubox Spring Summit, Secure Communication During a Pandemic.
Read a full recap of Paubox Spring Summit.
About Paddy Padmanabhan
Paddy Padmanabhan is the founder and CEO of Damo Consulting, a growth strategy and digital transformation advisory firm that works with healthcare enterprises and global technology companies. He is the host of The Big Unlock, a podcast focusing on healthcare digital transformation, and author of the book, The Big Unlock: Harnessing Data and Growing Digital Health Businesses in a Value-Based Era.
About Michael Parisi
Michael Parisi is the vice president of business development & adoption at HITRUST. He’s a seasoned information security and privacy industry professional. He has served as a lead healthcare industry expert, a national healthcare third-party assurance specialist, and the national HITRUST services lead for PricewaterhouseCoopers.
About Michael Mead
Michael Mead, BCPA, is the chief operations officer for The Medical Cost Savings Solution, where in just the past three years he has led the effort to save self-pay patients over $1.5 billion in their medical expenses. Before joining MCS, he led top Medicare Advantage programs in the reorganization and the implementation of new systems.
About Howard Rosen
Howard is the strategic and visionary leader of LifeWIRE, which he invented and developed as a patented population management communication platform that humanizes digital communication through personalized, responsive interactions between parties like healthcare providers and patients.
About Brian Kline
Brian Kline is the compliance and standards lead for Webb Adams — a veteran-owned business composed of cybersecurity and policy professionals well-versed in designing and managing security, privacy, and compliance programs. Kline is passionate about helping clients meet compliance standards and preparing them for industry certifications and attestations such as HITRUST, HIPAA/HITECH, SOC 2, GDPR, and ISO 27001.
Learn more about these panelists.