HITRUST Training Requirements

HITRUST Training is prescriptive. How can you comply?

Scribble line

Do you need HITRUST training?

HITRUST has become an increasingly popular meta-framework for the attestation of privacy and cybersecurity programs. Originally only leveraged in healthcare as a true compliance certification, HITRUST is now used across industries.

The HITRUST CSF (Common Security Framework) normalizes a multitude of compliance regulations and regimes including NIST, HIPAA, SOC 2, PCI, and several others. The goal is HITRUST is to enable organizations to “assess once, report many”, meaning organizations can re-use their HITRUST certification in place of doing audits and security assessments over and over.

HITRUST offers three levels of attestation - Self Assessment, Validated Assessment, and Certification. Validated Assessments and Certifications require 3rd party assessors, assessors approved by HITRUST. HITRUST Certification is based on scoring against a cybersecurity maturity model with 5 stages of maturity - 1) Policy, 2) Procedure, 3) Implementation, 4) Measurement, and 5) Management.

What training does HITRUST require?

HITRUST is prescriptive in its training requirements. Every organization needs to implement a training program that teaches and continually improves its workforce’s security understanding as well as training specific to the privacy policies and procedures of the organization.

Here is the specific language from HITRUST.

  • 0107.02d1Organizational.1 - The organization has an information security workforce improvement program.
  • 0108.02d1Organizational.23 - The organization ensures plans for security testing, training and monitoring activities are developed, implemented, maintained and reviewed for consistency with the risk management strategy and response priorities.
  • 1325.09s1Organizational.3 - Personnel are appropriately trained on leading principles and practices for all types of information exchange (oral, paper and electronic).
  • 1336.02e1Organizational.5 - The organization’s security awareness and training program will identify how workforce members are provided security awareness and training; identify the workforce members (including managers, senior executives, and as appropriate, business associates/partners, and contractors) who will receive security awareness and training; describe the types of security awareness and training that are reasonable and appropriate for its workforce members; how workforce members are provided security and awareness training when there is a change in the organization’s information systems; and how frequently security awareness and training is provided to all workforce members.
  • 0137.02a1Organizational.3 - The organization formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and compliance requirements for its human resources security protection program (e.g., through policy, standards, guidelines, and procedures).
  • 1301.02e1Organizational.12 - Employees and contractors receive documented initial (as part of their onboarding within sixty (60) days of hire), annual and ongoing training on their roles related to security and privacy.
  • 1308.09j1Organizational.5 - The organization prohibits users from installing unauthorized software, including data and software from external networks, and ensures users are made aware and trained on these requirements.

These are not the same, though in practice many organizations only have one HIPAA training and that training does not meet both of these requirements. Compliance training, or training on policies and procedures, is different from security awareness training. Policies and procedures define the why and how while security awareness should be the practice implementation (things like password hygiene).

HIPAA training should be conducted at onboarding for new employees when changes are made to compliance policies and procedures, and on a regular cadence, with annual being the longest acceptable interval.

What does effective HITRUST training look like?

Most organizations do not offer effective compliance training to their workforces. Current approaches to compliance training are outdated, generic, infrequent, and do not practically apply to the day-to-day work of employees.

Any organization aligning their privacy and compliance programs with HITRUST needs to provide both general training on privacy and security as well as specific training on HITRUST, the HITRUST CSF, and HITRUST Certification.

At Day Zero, our team has led multiple HITRUST assessments and managed privacy programs that are fully HITRUST Certified. In order to be successful with HITRUST training, and to limit the risk to organizations, privacy training needs to be built into the culture of the organization. In our experience, the following elements are essential aspects of effective compliance and HITRUST training.

  • Simple words. Technical jargon should not be used. Most employees don’t need to talk to auditors or interpret compliance frameworks. They need training they can understand.
  • Ongoing. Training starts at onboarding but should be continually delivered in snippets on a regular, at least monthly basis.
  • Scenario-based. Training needs to be relatable. Regulations, policies, and procedures need to be mapped to the situations in which employees find themselves.
  • Adaptive. Training software developers on how to handle medical records are useless. Training doctors on a secure development lifecycle is equally useless. Training customer support in designing compliance programs is useless. Specific training curriculum and snippets should be tailored to the specific roles of employees.
  • Engaging. Training should not be static. Employees should be asked to participate with feedback and fun quizzes.
  • Relevant to modern work. Work is done on computers in the office and on employee-owned phones at home. HITRUST training needs to take this into account and incorporate lessons that apply to all of these settings.

Day Zero offers HITRUST-specific training, as well as general privacy and compliance training, that ensures all of the above. In addition, we provide metrics to continually gauge and improve compliance training. Our customers lean on us to build a culture of privacy across their entire workforce. We are 100% focused on making sure your employees are properly trained and you have the proof you need to pass your HITRUST Certification.

Resources for HITRUST training

Below are some links to learn more about HIPAA training.