We sat down with Ron Bell, Chief Legal Officer, and Brian Hanson, Chief Information Security Officer, to chat about the recent HITRUST certification for our systems that process member information, and how this achievement reflects our continued commitment to protecting and managing healthcare data.
What is HITRUST?
HITRUST is an organization committed to championing programs that manage risk and protect sensitive information. They develop risk and compliance management frameworks and certifications that are globally-recognized and are considered the “gold standard” of the industry.
What HITRUST certification did Collective Health achieve?
Collective Health has earned the HITRUST Risk-based, 2-year (r2) certification for its in-scope systems, one of the most comprehensive security certifications a healthcare entity can achieve. The HITRUST framework uses an integrated approach to help ensure that an organization’s programs are aligned, maintained, and comprehensive in support of managing risk and protecting sensitive information. HITRUST integrates 40+ authoritative sources (HIPAA, ISO, etc.) into one robust standard. By meeting these requirements in their systems, a company helps manage their security risk, helps lower the likelihood of security breaches, and shows dedication to taking security seriously.
What steps did Collective Health take so that its in-scope systems would receive this certification? How long did the process take?
Achieving a HITRUST Risk-based, 2-year (r2) certification for in-scope systems required Collective Health to meet and maintain 270 security controls across 19 domains to help secure protected health information. Compliance was then audited by a third party and reviewed against certification requirements by the HITRUST organization.
Meeting these high standards involved documenting and implementing policies, procedures, risk assessments, and technical controls to satisfy the security and industry frameworks incorporated into the HITRUST standard. This required more than a year’s effort by our engineering, security, privacy, and compliance teams.
What are the benefits of receiving this certification and how will it help advance Collective Health as a leader in the healthcare and benefits industry?
Healthcare is founded upon trust. While Collective Health has long undertaken an annual SOC-2 certification, and will continue to do so, HITRUST certification for our in-scope systems is a far more comprehensive standard. By meeting HITRUST certification requirements, Collective Health has demonstrated fealty to the highest standards of commitment in helping manage security risks.
How does this help Collective Health’s users – the employers as well as the employees/plan members?
Members and customers will see no change in the high standard of care they receive from us today. But companies who work with us can be assured that our in-scope systems have met the stringent requirements for compliance and security identified by HITRUST.
Also, HITRUST isn’t a one-and-done certification. Collective Health’s in-scope systems will continue to receive audits and must satisfy a more comprehensive review of their compliance with the HITRUST standard every two years.