HITRUST FAQs

1. What is HITRUST?

The Health Information Trust Alliance (HITRUST) is a private, independent company created to establish a common security framework that will allow for more effective and secure access, storage and exchange of personal health information. HITRUST is bringing together a broad array of healthcare organizations and stakeholders, who are united by the core belief that standardizing a higher level of security will build greater trust in the electronic flow of information through the healthcare system.

2. Why did HITRUST find it necessary to undertake this initiative?

A group of industry leaders believed that a common security framework that assures information security is critical to facilitate the broad adoption and confidence in health and biomedical information technologies. technologies that hold the promise for quality improvement and cost containment in the healthcare system. Since no existing entity could be identified with the focus and capability to tackle these issues, HITRUST was established.

3. What is a "common security framework?"

The framework will include a set of single standards for security governance practices and security control practices, as well as a guide to help organizations that electronically access, create, store or exchange personal health information reconcile the different aspects of existing security standards. HITRUST's common security framework will establish uniform criteria against which organizations can measure their own security and related privacy functions.

4. How will HITRUST go about developing the common security framework?

HITRUST will take a collaborative approach to building the security framework, by inviting representatives from across the spectrum of healthcare industries to participate in the development process. In addition, HITRUST has engaged the professional services firm PricewaterhouseCoopers (PwC) to manage the program and work with the participants. The process will include the creation of a series of working groups, organized by subject matter and subject type, with each participating organization providing members able to represent their organization in legal, compliance, privacy and security discussions.

5. Who will be involved?

Specifically, 155 organizations will work together to create the common security framework. These organizations will be solicited by application only in limited numbers representing each segment of the healthcare industry. The founding participants in the development of HITRUST's common security framework are CVS Caremark, Cisco Systems, Highmark Inc., Hospital Corporation of America, Humana, Johnson & Johnson and Philips Medical Systems. Leading the effort is HITRUST CEO Dan Nutkis, a healthcare IT professional who previously led numerous collaborative efforts, including the nationwide program that successfully guided Y2K remediation efforts for healthcare organizations.

6. How will the common security framework impact the current public debate on patient privacy?

It will not. Although privacy advocates and the general public often use the phrases information privacy and information security interchangeably, they are, in fact, very different. In the US Health information privacy is about an individual's right to have his or her personal information kept confidential. This right is defined in federal and state law and regulation. Information security, on the other hand, is the means and the mechanisms to protect privacy. While the right to privacy is relatively constant, information security must be capable of quickly adapting to changes in technology, to changes in business practices and, equally as important, to constantly changing threats. HITRUST is singularly focused on the challenge of security and is uniquely capable of creating a solution.

7. What is the timeline for completing the common security framework?

The common security framework will be completed by the end of 2008.

8. Once the common security framework is built, what will HITRUST do next?

Once the common security framework is complete, HITRUST will actively seek broad adoption of the framework, among organizations that electronically access, create, store or exchange personal health information. Meanwhile, HITRUST will continue to develop solutions that increase the level of trust in the security of personal health information, as well as educate the public and advocate policymakers on issues related to healthcare information security.

9. What kind of response have you gotten from industry?

Stakeholders from across healthcare industry segments have eagerly joined HITRUST as participants. We've found that there was a gaping need for a universal security framework, and our participants tell us that they appreciate the opportunity to become part of the solution. In fact, we think one of our biggest challenges will be saying "no" to organizations looking to participate in the framework development, once we've reached the cap of 155 organizations.

10. How will HITRUST approach existing standards and best practices, where information security is concerned?

The idea that we must assure the utmost security of patient information is not a new one, so there has been a good deal of work done in this area. HITRUST will complement, rather than compete with, existing standards and practices, where appropriate. One of the core principles of our framework will be to leverage practices that have already proven effective.

11. How will the HITRUST framework incorporate future security standards that may be mandated by state and federal governments?

We recognize that the book on health information technology is constantly evolving. That's why we are building a common framework that is comprehensive enough to address the security needs of all stakeholders across the healthcare industry, yet dynamic enough to integrate future standards of interoperability. It is our hope that, by building the HITRUST common security framework, we will preclude the need for government intervention in this area.