Interwell Health Achieves HITRUST Risk-Based, 2-year Certification

Interwell Health recently went through a rigorous audit to achieve HITRUST Risk-Based, 2-year (r2) Certification for its care team system, demonstrating its commitment to protecting sensitive patient data. The designation reflects the highest level of information protection assurance possible.

Philip Guldberg, Director of Information Security for Interwell Health, discusses this important milestone.

Q: What is HITRUST certification?

PG: HITRUST has developed a common framework, the HITRUST CSF, to ensure healthcare organizations are following a set of industry-wide standards for security and compliance around their patient data. This framework includes a wide range of requirements and incorporates many different regulations and standards. HITRUST has established levels of excellence and expectations to help demonstrate that an organization and their information systems are following best practices.

Q: How does HITRUST certification support our mission to reimagine healthcare?

PG: When Interwell Health talks about reimagining healthcare, we are trying to do something that has not been done before. To be successful, we need partners to trust us and have confidence in what we are trying to achieve through our innovative value-based care approach. As we were looking at data protection and risk management, we believe our HITRUST certification is essential to proactively show our commitment to protecting patient data.

Data is a key driver of our clinical decision-making and helps us improve the lives of people living with kidney disease. As a data-driven company, this HITRUST certification shows that we are satisfying our commitment to our mission by meeting industry-approved information protection standards. It’s our promise to patients that they can trust us with their data. While we have always taken security very seriously, this certification offers another level of assurance to partners choosing to work with us. Our goal is to improve patient outcomes and reduce the cost of care while also demonstrating our commitment to information security.

Q: Why does it matter to our partners that we have HITRUST certification?

PG: Unfortunately, healthcare has been on the front lines of ransomware and cyberattacks for many years. The consequences of an attack can be devastating for any business and its relationships with customers. While there is no predicting when a malicious actor is intent on infiltrating a system, there are steps that organizations can take to reduce the overall risk of incidents. A HITRUST certification shows we are actively taking steps to lower and mitigate these risks.

By working to secure our data using the highest standards of information security control protection, a higher level of trust is immediately set so our payer partners are more willing to exchange their data. We use our partner’s data to risk stratify their members for those most at risk of hospitalization or kidney disease progressions, helping us reach the right patient at the right time with meaningful interventions.

Q: How rigorous a process is an r2 certification? Are there different levels of certification offered by HITRUST?

PG: The r2 certification is the most rigorous assessment, and achieving this certification requires intense audits and responses to evaluate our systems. It means we are part of an elite group that has earned this highest-level certification. Compared to HITRUST e1 and i1 certifications, the r2 is the most difficult because it takes a risk-based approach that involves almost 600 questions and can take up to one year to complete. The evaluation looks at each policy and procedure that we have in place, and then ensures that each one is also implemented and effective in governing our information security controls and processes.

When Interwell Health completed its three-way merger in August 2022, we focused on getting specific systems fully certified that would be implemented in 2023. While we could have chosen a quicker process with a lower level of certification, we believed it was important to take the time to achieve this highest level of rigor so that our partners could have the highest level of confidence in our commitment to information protection.