What is HITRUST Compliance and Regulatory Mapping?

HITRUST compliance and regulatory mapping are processes designed to bring a company’s information security and privacy practices in line with the HITRUST CSF and many other regulatory requirements.

What is HITRUST compliance?

HITRUST means Health Information Trust Alliance. This is the organization that developed HITRUST CSF, which is actually one of the most rigorous standards aimed at the management and protection of sensitive information. HITRUST CSF covers the following standards and regulations for their healthcare-specific measures:

• ISO/IEC 27001: Information security management
• NIST SP 800-53: Security and privacy controls
• HIPAA: Health Insurance Portability and Accountability Act (for the healthcare industry)
• PCI-DSS: Payment Card Industry Data Security Standard

HITRUST compliance asserts that the appropriate controls have been implemented in securing sensitive information and complying with specified standards for security and privacy as required in the CSF. 

Since this primarily targets handling health information, HITRUST compliance is relevant mostly in the healthcare industry. The stringency in the standards, however, makes HITRUST compliance important for any organization dealing with sensitive data.

What is regulatory mapping?

Regulatory Mapping aligns organizational controls and practices to different compliance requirements. It involves the identification of those regulations relevant to the organization and then mapping them against the controls in place under frameworks such as HITRUST CSF.

Some key attributes of regulatory mapping include:

Identifying relevant regulations

The regulations will apply to your organization depending on factors such as the industry involved, geographical location, and type of data. For instance, HIPAA or HITRUST will be utilized in healthcare institutions, while financial institutions fall under regulations like the PCI-DSS.

Mapping regulations to HITRUST CSF controls

These regulations align their requirements with the HITRUST CSF controls in a cross-referenced manner, whereby for every regulatory requirement, it is indicated how that requirement is met within the HITRUST controls. Mapping at this level provides assurance that your compliance efforts do indeed include all necessary regulatory obligations.

Gap analysis

Identify any gaps that may exist between HITRUST controls and the regulatory requirements. Such analysis shall identify areas where more controls are relevant or changes are necessary to ensure full compliance with each regulation.

Documentation and reporting

Maintain all the documentation to show how your organization meets the HITRUST CSF and other regulatory requirements. This means the documentation is very critical in the case of audit, assessment, or compliance reporting for stakeholders.