Growth Through Compliance
As a SaaS (Software as a Service) vendor in the healthcare space, Command Business Partners (CBP) knew its future would eventually include the HITRUST Alliance’s Common Security Framework (CSF) certification. CBP, founded in 2017, provides a Complaints, Appeals and Grievances (CAG) solution for the health insurance industry. If members or providers feel payments or services are improperly denied, these cases are handled by payer organizations using CBP’s solutions.
That means CBP constantly handles sensitive Protected Health Information (PHI). For a while, Co-Founder Daniele Chenal says, they relied on their HITRUST CSF-certified data center to satisfy clients’ privacy requirements. But it soon became clear that CBP’s path to winning more clients and working with larger providers ran through a HITRUST certification.
“It’s definitely about opening up new opportunities,” Daniele says. “But it is also critical to us that we are doing things right. Managing peoples’ health information under the rigidity of HIPAA and other standards is daunting. So, we were looking for peace of mind first and foremost.”
What Is HITRUST CSF?
Like other frameworks and compliance protocols (such as SOC 2®, PCI, HIPAA and GDPR ), HITRUST CSF provides objective criteria for measuring how an organization secures data. It also carries the added weight of third-party validation at its higher levels. That’s one reason that HITRUST CSF represents a major step up from the familiar HIPAA healthcare standard, which allows organizations to attest to their own security processes.
Many organizations complete the SOC 2® audit process before pursuing HITRUST CSF certification. Some organizations focus on both in an integrated effort. For CBP, it made the most sense to focus on HITRUST CSF, since it’s the framework expected by CBP’s target clients.
In CBP’s case, the entire process took approximately three years as they weighed the investment and then proceeded through HITRUST’s three stages:
- Performing a self-assessment to determine readiness. (Many organizations also do a mock audit when they feel they’re almost ready.)
- Hiring a third-party auditor to perform a validated assessment.
- Waiting for the HITRUST Alliance to certify the information provided by the organization and the independent assessor.
Finding a Partner
Early in CBP’s HITRUST CSF research, friends in the industry suggested that they hire a consulting team to guide them through the process. They immediately recognized that as sound advice. “We always knew we’d have someone come in and help us,” Daniele says.
After seeking vendor references, CBP learned about Pratum and started with an information security risk assessment to gauge the results and relationship. Satisfied with that process, CBP moved on to using Pratum for incident response planning, including leading tabletop exercises. Convinced that it was time, CBP set out on the HITRUST CSF journey.
A Team That Gets Results
During a roughly year-long prep and review process, Daniele and Matthew forged a deep partnership. At the height of the audit period, they spent 4-5 hours every day on the phone answering auditors’ questions and requests for evidence. They managed the painstaking review of language in CBP’s policies, often revising lines word-by-word to meet HITRUST CSF requirements. They collected thousands of pieces of supporting evidence required by the auditors.
The work ultimately paid off, as the auditor submitted their report to HITRUST, it passed the HITRUST quality-assurance process, and CBP had its HITRUST CSF certification.
For Daniele, one of Pratum’s key value-adds was managing the daunting schedule and the list of to-do items that came out of every call with the auditor. “Matthew kept us on track to meet the timeline. It sounds too low-level to say Pratum helped coordinate things, because it was really awesome."
I can say with certainty that we surely could not have achieved this without Matthew's help. He has been an excellent advisor and advocate.Daniele Chenal Co-Founder - Command Business Partners
Advice for Pursuing HITRUST CSF
For other firms considering a HITRUST CSF pursuit, Daniele and Matthew offer the following tips:
- Allow lots of lead time. Daniele says to give yourself several months to really understand the complex HITRUST CSF controls and to perform your own mock audit before engaging with a third-party auditor.
- Commit a senior leader to the process. Matthew says it takes an experienced person with decision-making authority to handle many of the auditor questions, and that job requires hours of phone calls each day for about a month. If you assign a junior person to the process, they may delay the process while hunting down answers to questions.
- But DO assign a support person to collect evidence. Auditors request scores of pieces of supporting evidence such as screen shots, documentation, etc. You’ll need a person dedicated to handling those requests quickly every week.
- Use HITRUST’s language. You can try explaining to the auditor how the wording in your policies achieves HITRUST CSF’s goals, but you’re better off matching their recommended phrasing word-for-word. Matthew says, “You have to do things the HITRUST way, or you don’t get your certification.”
- Keep up with the evidence requests. If you don’t stay on top of gathering materials, it will become a mountain overnight. Matthew says, “We left every phone call with a lengthy list of information to gather, and we took care of that every day.”