Many business associates not ready to meet HITRUST standard to protect patient data

Locked record

Two-thirds of healthcare business associates are not prepared to meet the Health Information Trust Alliance's (HITRUST) data security standard to protect providers’ patient protected health information (PHI), a new survey finds.

EHR vendors, including cloud service providers, are seen as business associates who are subject to HIPAA and required to stake steps to keep a covered entity’s PHI secure. HITRUST is a privacy and security framework for organizations who create, maintain transmit or receive PHI to assess their level of readiness and soundness of their environment. Since HIPAA does not mandate in particular how to keep PHI private and secure, using the HITRUST standard is one way to do so.

Organizations can indicate their readiness either through a HITRUST CSF examination or a HITRUST CSF certification, both of which “enable vendors to communicate their good faith effort to protect patient information,” Emily Frolick, third-party risk and assurance leader for KPMG’s Healthcare practice, says in an announcement; KPMG conducted the survey.


Elevate Health Plan Member Engagement Through Call Center Transformation

Learn how health plans can rapidly transform their call center operations and provide high-touch, concierge service to health plan members.

“An increasing number of healthcare organizations are requiring their vendors to demonstrate controls for securing PHI to manage their cyber and regulatory risks, especially since healthcare information is a rich target for hackers ... the marketplace wants to reduce risks tied to cybersecurity with third-party assurances concerning their data protection efforts," Frolick adds.

However, the survey of 604 professionals finds that 50 percent are “not prepared” and another 17 percent have a plan but have yet to implement it. Only 7 percent said they are “completely ready,” and 8 percent are “well along implementation.”

Another 17 percent are in the planning stages of implementing their plan.

Suggested Articles

Nearly 10,000 patients involved in research studies were impacted by a third-party privacy breach that may have exposed their medical diagnoses, test results…

Veterans Health Administration medical facilities currently have a paper medical record backlog that if stacked up would be 5.15 miles high, according to the…

The Department of Health and Human Services announced proposed changes to privacy restrictions on patients' substance use treatment records.