HITRUST, a health industry consortium best known for developing the Common Security Framework of best practices, now has several of its members that will require business associates to follow the framework and document compliance with it.

In a report released in December 2012, the consortium estimated that business associates are implicated in 21 percent of protected health information breaches, accounting for 58 percent of breached records. Now, benefit plans CVS Caremark, Health Care Services Corp., Highmark, Humana, UnitedHealth Group and WellPoint will require business associates to adopt the CSF best practices and submit assessment reports demonstrating compliance.

WellPoint presently accepts CSF assessment reports from BAs and has its own approaches to conducting third party risk assessments, says Roy Mellinger, chief information security officer. Now, it is looking for a single process via a CSF assessment that it will mandate.

Standardizing on the CSF assessment reports would help many business associates, who annually receive hundreds of requests from business partners for documentation to ensure compliance with the HIPAA privacy, security and breach rules. Claims clearinghouse Availity supports the CSF approach to reduce the number of non-standard assessments it must conduct, says Trent Gavazzi, chief technology officer.

HITRUST recently issued guidance on how best to use the Common Security Framework to assess an organization’s cybersecurity preparedness.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access