Healthcare Information Security

Cybersecurity News

EHNAC, HITRUST Combine HIPAA Security Criteria, CSF Framework

Two accreditation and certification organizations are working together to reduce costs and streamline the HIPAA compliance and assessment process.

By Elizabeth Snell

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) are collaborating to streamline their accreditation and certification programs.

EHNAC, HITRUST collaborate to simplify HIPAA security, CSF framework

EHNAC will replace its HIPAA-related privacy and security criteria with the HITRUST CSF provisions and controls, the two organizations explained in a statement. However, EHNAC will still maintain its stakeholder-specific benefits to the accreditation process.

The collaboration will allow CSF certified organizations “to leverage that assessment in obtaining accreditation for one of EHNAC’s 18 stakeholder-specific accreditation programs.” Organizations that are accredited by EHNAC will not be affected by the change.

EHNAC has a voluntary accreditation program, catering to organizations that exchange healthcare data electronically. It works to guide entities through best practices and operational and technical framework reviews.

Similarly, HITRUST has its common risk and compliance management framework (CSF). The CSF is “a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management,” according to the HITRUST website.

The two organizations added that by working together, they hope to reduce “inconsistent requirements and redundancies in control requirements and reporting involved in multiple assessments.”

“The healthcare industry is plagued by well-meaning yet inefficient processes, standards and protocols,” HITRUST CEO Daniel Nutkis said in a statement. “It is through this partnership with EHNAC, and potentially other like-minded standards organizations, that we are growing our vision of helping the industry eliminate the complexity relating to information protection and compliance.”

EHNAC Executive Director Lee Barrett added that there was a high percentage of overlap between the EHNAC HIPAA-related privacy and security criteria and the HITRUST CSF.

“It is an incredible win for the industry that our organizations partner together to, most importantly, ensure the security and compliance of the healthcare industry, but to also do so in a way that offers more leadership and efficiency, and less complexity, redundancy and costs,” Barrett stated.

Both EHNAC and HITRUST have been working over the past year to improve how organizations, including healthcare covered entities and business associates, can keep sensitive data secure.

Earlier this year, EHNAC launched its Cloud Enabled Accreditation Program (CEAP), which will assess an organization’s health information and oversight for meeting privacy and security, HIPAA, HITECH, Omnibus Rule and ACA requirements. The program also reviews an organization’s technical performance, business processes and resource management.

Barrett explained to at HIMSS16 that CEAP can give organizations a specific level of structure and a a comprehensiveness to “validate and accredit their cloud environment using one of our other accreditation programs.”

“As more and more organizations are using the cloud, and cloud environments for their data, this particular program allows organizations that are using the cloud to be using the FedRAMP program,” he said.

In August 2016, HITRUST launched a program designed to assist smaller healthcare organizations in preparing against the increasing healthcare cybersecurity threats. Called HITRUST CyberAid, the program aims to help smaller healthcare organizations find the right healthcare cybersecurity solutions at an affordable price.

“Effectively addressing cyber security challenges, engaging in cyber information sharing and streamlining the HITRUST CSF Assessment process for physician practices have been a goal of HITRUST,” Nutkis said in an earlier statement. “This program is a big step forward towards those goals.”

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks