Ahead of its January 1 effective date for the California Consumer Privacy Act, HITRUST incorporated the standard into its Common Security Framework to help providers measure compliance.
HITRUST announced it’s incorporated the California Consumer Privacy Act standard into its Common Security Framework (CSF), to support providers measuring CCPA compliance during existing risk assessment and certification processes.
HITRUST is a data protection standards and development certification organization that supports providers, business associates, and vendors better safeguard their sensitive data and manage IT risk, across all industries and throughout the third-party supply chain.
CCPA is considered to be as stringent as the EU General Data Protection Regulation, intended to give consumers more control over their data. It’s seen as a model for other privacy regulations, including the New York Shield Act, which went into effect on October 23.
The law was designed to empower consumers, creating an expectation that they can access their data, ask for it to be corrected or deleted, and even limit its uses.
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
All US organizations that collect or use personal or private data from California residents must comply with CCPA, which goes into effect on January 1, 2020. While the law does carve out exceptions for the healthcare sector for HIPAA-covered data, healthcare organizations will still need to ensure whether any personal information they collect is outside of the scope of CCPA.
However, security and compliance leaders have noted that many organizations are finding it challenging to sift through the increasing number of state and federal privacy and security regulations to ensure and maintain compliance.
To HITRUST, by adding the CCPA to its CSF framework, organizations will be able to quickly assess if they meet the new privacy requirements, as well as whether any gaps need to be remediated. The law will have “a significant impact,” given its extensive rules for organizations mandating they implement and maintain reasonable security procedures.
Organizations required to comply with the law can perform a CCPA assessment by adding the CCPA as a regulatory factor through the MyCSF assessment tool. Those organizations already leveraging the HITRUST standard will be able to identify and implement applicable privacy controls, using fewer resources.
The latest HITRUST CSF includes both mappings and information related to CCPA, including both the original version and recent amendments. Officials said they will continue to enhance the CCPA language in the framework and its risk management and compliance tools.
“The HITRUST CSF includes comprehensive privacy controls as well as mappings to both the CCPA and the GDPR,” according to the release. “The CCPA is just different enough from the GDPR to create confusion in terms of compliance. HITRUST has helped businesses manage GDPR compliance and will help organizations doing business in California to minimize the impact of new regulatory requirements.”
“The CCPA requires American organizations to look at data in a new way, as we are not used to data subjects having the type of rights granted them under the CCPA,” Anne Kimbol, HITRUST Chief Privacy Officer, said in a statment. “By including leading privacy standards and principles, including EU’s GDPR and the CCPA mappings into the HITRUST CSF, we help our customers identify and mitigate gaps and risks in their existing programs that help them meet not just the growing compliance requirements but also customer expectations.”
A recent HITRUST study found that nearly all organizations that pursue HITRUST CSF certification to demonstrate security strength and compliance not only maintain, but improve their security posture over time.
Source: Healthit Security