What is HITRUST and Why Should Consumers Care?Like other businesses, new technology has given Brokers the opportunity to better serve their customers. However, advancements in technology can also open them up to new threats, such as cybersecurity concerns over the privacy of electronic medical records. This concern can scare off potential customers if not addressed, which is why FormFire has been HITRUST certified for years.

What is HITRUST?

The Health Information Trust Alliance, also known as HITRUST, is a not-for-profit group that dedicates itself to protecting sensitive healthcare information. The organization collaborated with healthcare and information security experts to create the Common Security Framework (CSF) to protect organizations from data breaches and other attempts to steal sensitive healthcare information. The CSF is based on both risk and compliance needs to create a common, trusted framework that can be used by organizations of all shapes and sizes. To do this, HITRUST followed several accepted standards to create baseline security controls. These standards include:


  • PCI


  • NIST

  • ISO

  • FTC


  • AICPA Trust Services Principles and Criteria

  • FFIEC Information Technology (IT) Examination Handbook –Information Security, September 2016

  • Federal Risk and Authorization Management Program (FedRAMP)

  • Various state laws

The HITRUST CSF is a certifiable, information security framework that provides organizations with an actionable roadmap tailored to the unique needs of the healthcare industry. To date, the HITRUST CSF is the most widely-adopted security framework in the U.S. healthcare industry. HITRUST actively maintains the CSF, which is currently in its ninth version.

Why Should You Care?

Being compliant with the HITRUST CSF can be very advantageous for a Broker. Since its adoption, the CSF has been widely adopted by healthcare organizations. Healthcare IT News cites that “more than 84 percent of hospitals and healthcare organizations use CSF to strengthen the security of their PHI and PII creation, access, storage, and exchange.” In fact, Carriers such as Anthem, Highmark, and United Health Group all require their business associates to be complaint with the HITRUST CSF. There’s also the impact HITRUST can have on working with Employers. A HITRUST-certified privacy and data security partner can make your services more attractive to an Employer. A HITRUST certification serves as a third-party approval that your organization meets all the security requirements in the CSF. When it comes to sensitive healthcare information, that assurance can mean the difference between an Employer opting for your services and those of another Broker. --- FormFire recognizes how important cybersecurity is when receiving, compiling, and transmitting sensitive information. That’s why we took the steps to become HITRUST CSF-certified to ensure that our online insurance enrollment software not only simplifies the sales process, but also ensures that adequate controls have been established to protect PHI and comply with the HIPPA Privacy, Security, and HITECH regulations.