HITRUST in a Startup: Benefits Beyond the Obvious
By Alex Baron, CTO and Co-founder, Ovia Health
Startups, because of limited resources and staff, are unlikely to have a compliance officer. Many startups face this all too common problem: any time you are asked for your security policy, you wonder if the five-page document created from various web sources is going to be sufficient. You tell all employees to change their passwords every three months. You outsource IT to install anti-virus software on work laptops. But there comes a moment when the uncertainty about your security practices becomes unbearable. You get to a point where you want to do it right, set it all up, assign ownership, and be confident in the security processes that have been established. This is when you need to explore HITRUST.
The Health Information Trust Alliance, or HITRUST, is a not-for-profit organization that created the HITRUST CSF, a “certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management.” This framework was created by experts, leaders, and practitioners in the information and security field, and help organizations meet multiple regulations and standards, with HIPAA being the main one.
Obtaining a HITRUST certification is a rigorous and daunting process. There are hundreds of policy documents to produce and hundreds of procedures to follow, covering all aspects of the HIPAA security rule. However, going through this very thorough process, results in measurable and meaningful benefits for the company, both internally and externally.
Beyond receiving the certification and validation that your startup is adhering to a standard security framework, there are three additional benefits startups to reap: employee training, time savings, and industry respect.
HITRUST, is a not-for-profit organization that created a “certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management
HIPAA impacts virtually all employees. Making sure everyone is on the same page takes effort, and having everyone go through a HIPAA slide deck annually is not sufficient. However, it is important to realize that not everyone needs the same information about security practices. Engineers need to learn about secure data transfer, storage, and processing; HR needs to know what training policies to implement; Operations may want to outline procedures, etc. This creates opportunities for dividing the HITRUST preparation work and allocating different resources to cover different domains of expertise. Relevant employees do not have to be experts in HIPAA before they are engaged in the HITRUST process, but they will become experts through the process. Not only they will be the go-to resource for the relevant policies and procedures, but the deep understanding of the domains they are responsible for will make them promoters of best practices and good hygiene.
Being HIPAA compliant doesn’t just affect the technical team; it also makes an impact on sales, business development, and partnerships. Frequently, customers ask their vendors to answer lengthy security questionnaires that dive into infrastructure designs, approaches, policies, and procedures. With a proper division of labor within the company, questionnaires can be broken down by domains and distributed to employees with the matching expertise. The best part is that as times goes on, the company will find there is very little difference in the questionnaires. Although the language may differ, expert employees will be able to easily map most of the questions to the HITRUST domains. Moreover, often times, customers may just accept the HITRUST certification and either eliminate the need for the questionnaire or greatly reduce its length.
Finally, a HITRUST certification comes with industry respect. HITRUST gains adoption in the industry and having the certification shows the dedication and the importance a startup treats their security with. It is often recognized and applauded by customers, which may just give a company the needed edge with competitors. In cases when a HITRUST is not required, customers are still impressed with the level of security in place that is well above of what they expect from a vendor most of the time.
Though a startup may think that only established companies need to have HITRUST, there are immediate and future benefits that make the process worth it. HITRUST certification offers benefits beyond the common security framework it’s designed for; employee training, time savings, and industry respect are valuable commodities in a startup environment which will pay for themselves with both new business and confident customers.