HITRUST has become an increasingly popular meta-framework for the attestation of privacy and cybersecurity programs. Originally only leveraged in healthcare as a true compliance certification, HITRUST is now used across industries.
The HITRUST CSF (Common Security Framework) normalizes a multitude of compliance regulations and regimes including NIST, HIPAA, SOC 2, PCI, and several others. The goal is HITRUST is to enable organizations to “assess once, report many”, meaning organizations can re-use their HITRUST certification in place of doing audits and security assessments over and over.
HITRUST offers three levels of attestation - Self Assessment, Validated Assessment, and Certification. Validated Assessments and Certifications require 3rd party assessors, assessors approved by HITRUST. HITRUST Certification is based on scoring against a cybersecurity maturity model with 5 stages of maturity - 1) Policy, 2) Procedure, 3) Implementation, 4) Measurement, and 5) Management.
HITRUST is prescriptive in its training requirements. Every organization needs to implement a training program that teaches and continually improves its workforce’s security understanding as well as training specific to the privacy policies and procedures of the organization.
Here is the specific language from HITRUST.
These are not the same, though in practice many organizations only have one HIPAA training and that training does not meet both of these requirements. Compliance training, or training on policies and procedures, is different from security awareness training. Policies and procedures define the why and how while security awareness should be the practice implementation (things like password hygiene).
HIPAA training should be conducted at onboarding for new employees when changes are made to compliance policies and procedures, and on a regular cadence, with annual being the longest acceptable interval.
Most organizations do not offer effective compliance training to their workforces. Current approaches to compliance training are outdated, generic, infrequent, and do not practically apply to the day-to-day work of employees.
Any organization aligning their privacy and compliance programs with HITRUST needs to provide both general training on privacy and security as well as specific training on HITRUST, the HITRUST CSF, and HITRUST Certification.
At Day Zero, our team has led multiple HITRUST assessments and managed privacy programs that are fully HITRUST Certified. In order to be successful with HITRUST training, and to limit the risk to organizations, privacy training needs to be built into the culture of the organization. In our experience, the following elements are essential aspects of effective compliance and HITRUST training.
Day Zero offers HITRUST-specific training, as well as general privacy and compliance training, that ensures all of the above. In addition, we provide metrics to continually gauge and improve compliance training. Our customers lean on us to build a culture of privacy across their entire workforce. We are 100% focused on making sure your employees are properly trained and you have the proof you need to pass your HITRUST Certification.
Below are some links to learn more about HIPAA training.