We received a few questions regarding the HITRUST ITN 2021-01 for Healthy Start MomCare Network, Inc. I am sharing the questions and answers with you to ensure everyone has the same information. Please note that we are removing the HITRUST De-ID Framework from out ITN proposal request. The questions and highlighted answers are below:
- Do you have any external commitments within the next 18 months to complete a HITRUST Readiness Assessment, Validated Assessment, or Validated Assessment with Certification? No, HSMN has agreements with each of the MMA health plans. One health plan has required we move to HITRUST with an agreement for HSMN to re-set the timeline. We are also being proactive and recognize this is the direction the industry is moving.
- Do you have established Security and/or Privacy programs with policies, procedures, and formally designated officials? Yes. We are compliant with HITECH with appropriate policies and procedures for this level. There are security officers designated at HSMN, Go Beyond, and each user’s agency.
- Have you conducted any prior HIPAA or other security or privacy assessments by an external assessor? No, we have existing documentation (SOC2) related to the primary web application (Go Beyond MCH for Well Family System), but nothing related to HSMN.
- Technical Factors No. 18 on page 13 states less than 100,000 transactions per day. However, this is not one of the options available in MyCSF. The options are (a) fewer than 6,750, (b) 6,750 to 85,000, (c) greater than 85,000. Please advise which is the correct response.
- Authoritative Factors No. 11 on page 14 states inclusion of HITRUST De-ID framework. Including this factor triggers additional controls into the scope of the assessment. We typically advise against including any factors except for HIPAA in your first HITRUST certification unless you are contractually required to do so. Please confirm that this factor should be included. This item can be removed from the HITRUST ITN request. In the future, we could add the De-ID Framework into a later assessment if required at that time.
- Company Information No. 4 states ‘baseline’ for Privacy. Please clarify what you mean by baseline? (a) HIPAA Privacy (found under HIPAA Regulatory Factors), (b) Privacy Controls (found in MyCSF Assessment Options), or (c) None (relying only on Domain 19 privacy questions)?
Thank you for your time and let me know if you have any further questions.