HITRUST Certification Simplifies Your Partnership with VSP
Protecting Members' Health Data
VSP® Vision Care is proud to announce that assessing and monitoring our security infrastructure is now even easier given our 2023 achievement of HITRUST CSF® Certification. Widely considered the gold standard in information security, this certification gives our partners added confidence that our processes and platforms protect members’ health data.
In its most recent published report to Congress, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services reported to Congress that there were 609 healthcare data breaches affecting more than 37 million consumers.1 Of these, 77 reports were from corporate business associates, typically third-party vendors, who were trusted by their customers to securely manage protected health information (PHI).2 A 2018 study by the independent, Michigan-based Ponemon Institute implies these data breaches may be a result of corporations lacking infrastructure to effectively monitor their vendors' security infrastructure.3
Says VSP Vision Care President Kate Renwick-Espinosa, "One of the effects of the COVID-19 pandemic is an erosion of trust in healthcare. While VSP has maintained compliance with HIPAA for its nearly 30-year history, we decided now was the time to achieve HITRUST CSF certification, so we can help our members and customers feel confident that we are keeping their PHI safe."
Founded in 2007, HITRUST is the worldwide leader in helping corporations develop and maintain standards-aligned information risk management infrastructure across all industries and throughout the third-party supply chain.
Achieving HITRUST CSF certification is a demanding, multi-stage process that culminates with an external review by a HITRUST Quality Assessor who determines if an organization qualifies to receive a Letter of Certification. Given the dynamic nature of the cybersecurity industry, HITRUST certification standards regularly evolve to ensure certified entities continue to meet the challenges of using, storing, and sharing PHI and other vulnerable data.
HITRUST CSF certification indicates corporate compliance with HIPAA, HITECH, and dozens of other federal, state, and industry cybersecurity standards4, including:
|CMS Acceptable Risk Safeguards (ARS) v.3.1
|California Consumer Privacy Act (CCPA)
|AICPA Trust Services Criteria
|CMS Minimum Acceptable Risk Standards for Exchange (MARS-E)
|Massachusetts Data Protection Act (201 CMR 17.00)
|CIS Critical Security Control (CSC) v.8
|DHHS Office for Civil Rights Audit Protocol and Guidance or Unsecured PHI
|Nevada Security and Privacy of Personal Information (NRS 603A)
|Family Educational Rights and Privacy Act (FERPA)
|New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500)
|Electronic Healthcare Network Accreditation Commission (EHNAC)
|FDA 21 CFR Part 11
|New York Office of Health Insurance Programs (OHIP) Moderate-Plus Security Baseline
|Federal Financial Institutions Examination Council (FFIEC)
|Federal Risk and Authorization Management Program (FedRAMP)
|Texas Administrative Code 15 390.2
|FTC Red Flags Rule (16 CFR 681)
|South Carolina Insurance Data Security Act
|Joint Commission v. 2016
|NIST including Cybersecurity Frameworks, SP 800-53 r4, and SP 800-5 =3 r5
|OECD Privacy Framework
|IRS Publication 1075
|Payment Card Industry (PCI) DSS v. 3.2.1.
1 Office for Civil Rights, U.S. Department of Health and Human Services. 2022."Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Year 2021." Accessed September 6, 2023. https://www.hhs.gov/sites/default/files/breach-report-to-congress-2021.pdf
3 Ponemon Institute, LLC. November 2018. "Data Risk in the Third-Party Ecosystem: Third Annual Study." Accessed on September 6, 2023. https://www.ponemon.org/userfiles/filemanager/nvqfztft3qtufvi5gl60/
4 HITRUST Alliance. 2023. "HITRUST CSF Authoritative Sources Cross-Reference." Accessed on September 6, 2023. https://hitrustalliance.net/csf-license-agreement/