Is HITRUST the Best Option for my Company?
October 14, 2022
By Kate Siegrist and James Redman
Sitting down with a health care compliance expert will help determine the best compliance strategy for meeting HITRUST compliance. While HITRUST is the “Gold Standard” for health care compliance it’s usually not the only or best way to achieve compliance.
What are the alternatives to HITRUST?
Below is a list of options that we have negotiated for clients as an alternative to HITRUST.
- SOC 2 Plus HITRUST
- A normal SOC 2 audit with the 75 required HITRUST controls needed for certification. EisnerAmper is a certified HITRUST assessor.
- Data – Business re-engineering
- Review the data elements in scope that triggered the HITRUST requirement and remove the triggering factors that require HITRUST. This is done on a case-by-case basis.
- SOC 2
- A SOC 2 has been used by health care companies to demonstrate health care compliance to its customers.
What are some of the factors (pro or con) that companies should consider when selecting a compliance framework?
Most frameworks are designed for specific industries. HITRUST was designed to include HIPAA compliance as an option and is the most designed for health care. Other frameworks and standards used are ISO 27001, NIST, SOC 2.
Can you provide a brief example of hypothetical companies and why they may choose one or the other compliance option?
- A national Health care organization accepted a SOC 2 Plus HITRUST. This was deemed to be acceptable to their client’s requirements.
- A small startup company could not afford the cost of HITRUST compliance. EisnerAmper worked with the client to de-identify the PHI data elements to the point where the client could remove the requirement for HITRUST compliance.