HITRUST and EHNAC: Influential organizations for healthcare compliance among MTDCs

451 ResearchTwo of the most influential organizations for healthcare compliance are the Health Information Trust Alliance (HITRUST) and the Electronic Healthcare Network Accreditation Commission (EHNAC). Any service provider that targets the healthcare vertical is aware of the HITRUST CSF framework and the EHNAC accreditation, which represent some of the toughest standards that any datacenter can be assessed against.

The 451 Take

Compliance is a rigorous process for datacenter and cloud service providers. It has become more important as the number of businesses outsourcing various workloads, applications and other business functions to service organizations continues to rise. Earning the designation of HITRUST and achieving HIPAA compliance is something to be proud of and reflects a new era of high-quality safety and security regarding datacenter and cloud services. In our Datacenter KnowledgeBase, where we track multi-tenant datacenter facilities worldwide, we have seen HIPAA compliance slowly and steadily rise over the last two years to a total of 13.6% of the base. We expect to continue to see this rise in the ongoing modernization of the healthcare and life sciences verticals.


HITRUST was founded in 2007 and is a privately held company. In collaboration with many healthcare, technology and information security representatives, it established a Common Security Framework (CSF). The HITRUST CSF addresses many of the security, regulatory and privacy challenges that organizations face with protected health information. It cross-references globally recognized standards, regulations and business requirements including ISO, NIST, HIPAA, PCI and state laws. It follows a risk-based approach and has multiple levels of implementation requirements. It scales based on the size and complexity of an organization. It normalizes all of these security requirements and provides consistency and clarity and helps reduce the burden of compliance with all of these requirements as it applies to organizations involved in healthcare.

The reason a service provider would seek HITRUST compliance would be to fulfill service agreements or distinguish itself in the market with industry best practices for handling PHI and other sensitive data. HIPAA-regulated companies want to know that their service provider protects PHI consistent with the standards of HITRUST and based on a successful audit by a third-party auditor. HITRUST claims that over 84% of hospitals, health plans and healthcare organizations use the CSF framework. The first thing a service provider would do is purchase a subscription to the MYCSF tool. Next, it would perform a self-assessment. It would also hire an external auditor and it would create a comprehensive plan to implement the required aspects of the HITRUST program. The implementation and integration could take several months or weeks, depending on the size of the organization and its needs. Next, an organization would do a walk-through assessment to find any remaining areas of non-compliance and fix them. Finally, it would submit the assessor's work to HITRUST for evaluation, with evidence. HITRUST then would score the results and if the score is sufficient, issue a CSF certification.


Another accreditation to be aware of specifically for service and cloud providers that are focused on healthcare is called the Electronic Healthcare Network Accreditation Commission (EHNAC). EHNAC is a non-profit organization founded in 1993 designed to improve transaction quality, operational efficiency and data security in healthcare. More than 30 representatives from the healthcare transaction industry participated in a series of surveys and meetings to help develop the first set of industry standards for data transmission, security and resource capability. The self-governing EHNAC organization was formed as a result and began accrediting electronic health networks in 1995.

EHNAC continues to work through industry collaboration and currently provides 18 accreditation programs. Datacenter providers and cloud service providers would find the OSAP – Outsourced Service Accreditation Program – of most interest tailored for datacenters. In addition, there is a cloud-enabled accreditation program that is available as an add-on only for organizations that have applied for another program.

Each of the EHNAC accreditation programs promotes standards, best practices, administrative simplification and protection of information exchange regarding security, privacy and confidentiality. The programs set the foundational requirements to help measure an organization's ability to meet HIPAA, Omnibus, HITECH, ARRA, the Affordable Healthcare Act and other mandates in these areas.

In October 2016, EHNAC even replaced its HIPAA-related privacy and security criteria with the HITRUST CSF provisions and controls. After mapping both programs, it found a great deal of overlap. It came together with HITRUST to make these processes streamlined and more transparent for the industry. EHNAC is able to provide HITRUST CSF certification and EHNAC accreditation.