Does Being Compliant Make You Complacent?

“Compliant” versus “complacent.”

They look like related words, and they came to mind as I reflected on Aunt Bertha’s recent successful achievement of the HITRUST CSF® Certification for our site.

This was a big deal for us, as HITRUST champions programs that safeguard sensitive information and manage information risk for global organizations across all industries and throughout the third-party supply chain. As a leader within social determinants of health, many of our customers are health insurance and healthcare providers, and they want to have confidence in how we are maintaining and protecting people’s data and privacy through information security best practices.

The HITRUST Process and Compliance: What is it?

The HITRUST process consists of having an outside organization (called an “assessor,” approved by HITRUST) come in and review everything we do for IT security and privacy (called “controls”) to make sure we follow the best practices as laid out in the HITRUST CSF®. The HITRUST CSF® includes security controls across a range of standards such as NIST and ISO 27001 that can improve a company’s IT security program, including standards specific to the health industry such as the HIPAA Privacy and Security rules. The word “Compliant” means conforming to requirements, and we spent months preparing documentation, taking screenshots, and answering interview questions to show that we were compliant with the HITRUST requirements.

All this effort is required because healthcare organizations operate under a complex and growing set of regulations and guidelines, all while trying to manage rapid technological change. The HITRUST requirements are continually updated to reflect new technologies and regulations. Companies of all kinds working with an organization that has achieved HITRUST certification can have confidence that their partners are following best practices to protect data without doing their own in-depth security review, saving them time and money. This also benefits smaller Aunt Bertha customers and partners who wouldn’t have the resources to conduct an IT security audit. They can know that Aunt Bertha is treating their data with the same care as our largest customers.

Not Resting On Our Laurels

“Complacent,” on the other hand, is defined as showing smug or uncritical satisfaction with one’s self or one’s achievements.

Long before Aunt Bertha went through the HITRUST certification process, respect for the privacy of Seekers, the primary users of our site, has been a key part of what we do, starting with our anonymous search page. We understand that the last thing someone who needs help wants to deal with is a lot of intrusive questions. We understand that sometimes you have to do what’s less profitable, or less convenient, to do what’s right for your community.

We’ve always worked hard to protect people’s information and provide a secure website, but HITRUST became our opportunity for an outside organization to confirm it for everyone else, including potential partners who must meet strict privacy and security standards.

Yes, we’re proud that we’ve achieved this certification, but as we provide more and more people the opportunity to connect with social services, we don’t want to be “uncritically satisfied with our achievement.” We will continue to do more to ensure the safety of data while continuing to innovate to connect all people in need and the programs that serve them (with dignity and ease)… and security.

We are compliant, but more importantly we will never be complacent.