HITRUST Needs to be Included in Your QHIN Plans

Created in 2016 as part of the 21^st Century Cares Act, the Trusted Exchange Framework and Common Agreement (TEFCA) was crafted with the goal of establishing a universal floor for interoperability for networks of electronic health information across the country. TEFCA established the infrastructure model and governing approach for users of Qualified Health Information Networks (QHIN) to securely share basic clinical information with each other using commonly accepted expectations and rules.

QHINs are networks that agree to the TEFCA’s common terms and conditions of exchange with each other and to the functional and technical requirements for exchange. Organizations can apply to operate a QHIN. The Office of the National Coordinator for Health Information Technology (ONC) designated the Sequoia Project to serve as the Recognized Coordinating Entity (RCE) for TEFCA, putting it in charge of designating QHINs and providing oversight. To achieve QHIN designation status organizations need to make sure their network meets requirements that include privacy and security steps, approaches for identifying and authenticating exchange participants, conducting patient discovery and identity resolution, support for required exchange protocols, and more.

QHINs will serve as network nodes for data exchange between networks and will be responsible for routing queries, responses, and messages to and from their participants. Achieving designated status has the potential to serve as a business driver, providing organizations the ability to benefit from and provide customers with:

• Greater access to information with fewer barriers
• Access to more provider types and healthcare organizations
• Simplified data exchanges

HITRUST Meets QHIN Standards

TEFCA has strong cybersecurity requirements for designated QHINs. The Standard Operating Procedures (SOP) CA Section 12.1.2 states:

Signatory shall achieve and maintain third-party certification to an industry-recognized cybersecurity framework demonstrating compliance with all relevant security controls, as set forth in the applicable SOP.

The HITRUST r2 certification is the only framework that meets the TEFCA cybersecurity standards. For many healthcare organizations, the desire for a QHIN designation could make obtaining the HITRUST r2 certification a necessity for the first time.

The benefits of the r2 certification run much deeper than any organization’s QHIN aspirations. The r2 is considered the “gold standard” of security frameworks in the healthcare industry. Any business that holds the certification can be confident it meets any security requirements a potential customer may have. Being able to demonstrate to customers and prospects such a high level of commitment to protecting their data can play a major role in securing new business.

Obtaining the HITRUST r2

The HITRUST r2 is a powerful tool to show your organization has implemented stringent security processes and procedures. Achieving certification is rigorous, it will require detailed policy and process documentation and potentially the implementation of new tools and processes. Organizations need to understand that obtaining the r2 will require effort, time, and money.

The HITRUST r2 framework contains more than 2,000 controls, but your scope will be tailored to match your organization’s operations. Businesses typically have a control count of between 200-800.  Scoring for r2 controls is based on 5 maturity levels, policy, process, implementation, measured, and managed. Organizations must have an external assessor validate their control implementation. Once that is done, your assessment is submitted to HITRUST for a Quality Assurance Review for your certification to be approved or denied.

Organizations seeking to obtain HITRUST for the first time should expect the process to take between 9 to 18 months depending on the maturity of their security practices.

Once initially certified, a full r2 assessment is required every two years. On alternate years an interim assessment must be completed. You will work with your assessment firm to show you are still meeting the requirements of 19 controls selected by HITRUST. During the interim assessment, you will also need to show you have remediated or are working to remediate any gaps from the previous year’s full assessment.

At CompliancePoint, we have an experienced team of healthcare and cybersecurity professionals. No matter the size of your organization, we can guide you through every step of the HITRUST certification process, reducing your labor requirements and stress levels. Contact us at connect@compliancepoint.com to learn more about how we can help your organization.