HITRUST Certification and Marketing Solutions: Security Protocols that Enhance Insurance and Medical Clients’ Peace of Mind


Medical practices and insurance companies can face devastating ramifications when private data is released due to data breaches, including thousands of dollars in fines, millions of dollars in business loss, diminishing of the business’s reputation and the stress of having patients’ health care information compromised.

Among others, a crucial preventative measure is to verify that business associates, such as direct mail marketing companies, will place as much of a priority on protecting patients’ Personal Health Information (PHI) as the medical practices and insurance companies do. 

A direct mail marketing company with HITRUST Certification has the framework and protocols in place to secure this data and meet obligations – providing medical practices and insurance companies with greater peace of mind.

HITRUST stands for the Health Information Trust Alliance. The organization and its highly respected certification program were founded in 2007 as a response to increased needs for data security in the marketplace. It was designed by taking the requirements from multiple reporting agencies and synthesizing them into one set of protections that is clear and consistent.

To be as specific as it can about data protection, HITRUST gathers more than 40 control objectives and sections those into 19 control categories. There are 845 guidelines overall, and three implementation levels are laid out depending on risk factor. The result is a common security framework for risk management and a way to streamline protocols, regulations and checks and balances. 

Depending on a business’s industry and its services, each entity seeking certification must follow many of the 845 guidelines to earn HITRUST certification. For example, Phoenix Innovate (PI) uses Version 9.3 of the HITRUST Common Security Framework (CSF). Based on the scope of our environment, we must comply with 240 controls derived from these 19 assessment domains in order to achieve and maintain HITRUST certification.

PI spent more than two years and countless hours to obtain this HITRUST certification, and it was well worth the effort. We take pride in protecting our clients and their stakeholders, and our security protocols are a core part of our company values. Today, we remain one of very few direct mail marketing companies with HITRUST certification, a designation that means so much to our clients and our team.

The 19 HITRUST Assessment Domains

Why is HITRUST certification so meaningful and impactful?

Consider these statistics:

  • Nearly 50 million Americans were affected by data breaches involving health records in 2022. Of the 693 healthcare data breaches reported, more than 78 percent were due to hacking or IT incidents. Other common types of breaches were related to theft, loss and improper disposal.
  • Approximately 300,000 new pieces of malware are created every day.
  • Small businesses account for 43 percent of cyberattacks annually.
  • In 2020, small businesses faced over 700,000 attacks, which caused nearly $3 billion in damages.
  • According to the FBI, more than 800,000 complaints of cybercrime were registered in 2022, with more than 400 million people impacted.
  • About 30 percent of all large data breaches occur in hospitals.

However, hospitals, medical providers and insurance companies are not the only targets. Businesses that provide services to these companies and are, therefore, privy to PHI data are also susceptible to data theft.

Between December 1, 2021, and January 21, 2022, 15 of the 82 data breaches reported to the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) occurred at business associates, affecting nearly 340,000 individuals. Examples of these breaches include a cybersecurity incident at a CPA firm that affected almost 71,000 individuals, as well as a cybersecurity incident at a peer review organization with healthcare-based clients that affected approximately 135,000 individuals.

In 2020, the OCR fined a Tennessee-based management company $2.3 million for a case involving several alleged violations of HIPAA rules, including a breach of the electronic protected health information (ePHI) of more than 6 million individuals. The company had provided services – including legal, compliance, accounting, operations, human resources, IT and health information management – to hospital operator companies and affiliates of a health system. The penalty stemmed from a 2014 incident where hackers remotely accessed this business associate’s records. The company did not detect the intrusion but was notified about it by the FBI eight days later.

Because cybercriminals are becoming more tech savvy and creative, healthcare organizations are paying more attention to the security of data being handled by third-party vendors and other business associates. However, it can be difficult to monitor the work of business associates closely, which is why it’s important to vet business associates thoroughly and properly beforehand.

All of this reinforces the need for stringent protocols for security protection and advanced solutions for threat mitigation – which are integral factors in HITRUST certification. 

To become a HITRUST-certified marketing provider, a business must demonstrate that it is following applicable guidelines based on the control categories. In Version 9.3 of the HITRUST CSF as applicable to PI, these 19 assessment domains are:

  1. Information Protection Program
  2. Endpoint Protection
  3. Portable Media Security
  4. Mobile Device Security
  5. Wireless Security
  6. Configuration Management
  7. Vulnerability Management
  8. Network Protection
  9. Transmission Protection
  10. Password Management
  11. Access Control
  12. Audit Logging and Monitoring
  13. Education, Training and Awareness
  14. Third Party Assurance
  15. Incident Management
  16. Business Continuity and Disaster Recovery
  17. Risk Management
  18. Physical and Environmental Security
  19. Data Protection and Privacy

While health care and insurance are the primary industries, HITRUST certification supports protecting sensitive data in all industries.

A smiling doctor speaks with a patient in an office.
Protecting patients’ health information is integral to HIPAA and HITRUST compliance.

HITRUST Certification and HIPAA Compliance

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a federal law that includes national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. 

As described by the U.S. Department of Health and Human Services, the HIPAA Privacy Rule applies only to these covered entities: health plans, health care clearinghouses and certain health care providers. However, the Privacy Rule allows covered providers and health plans to disclose protected health information (PHI) to “business associates” if the business associates will use the information only for the intended purposes, will safeguard the information and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.

According to the HITRUST Alliance, more than 80 percent of U.S. hospitals, 85 percent of U.S. health insurers and many other covered entities and business associates leverage the HITRUST approach to aid their HIPAA compliance initiatives.

In other words, HITRUST’s comprehensive standards serve as a framework that naturally leads to HIPAA compliance, as long as they are followed properly.

As noted in the HIPAA Journal, covered entities that break HIPAA rules could face:

  • Termination of employment.
  • Termination of employment contracts.
  • Sanctions from professional boards.
  • Criminal charges that may include imprisonment and fines from $50,000 to $250,000 for an individual. The length of the jail term depends on whether the violation was negligent, whether the disclosure was made under false pretenses, and whether the violation was for personal gain or malicious harm. A HIPAA violation can be considered a felony depending on the extent and willful neglect involved in the incident.
  • Civil penalties ranging from $127 per violation as of January 2023, or up to $1,919 when the violation involves willful neglect and is not corrected.

As various reports have shown, several of the largest and most dangerous breaches happened to business associates such as direct mail marketing companies over the past several years.

To date, however, Phoenix Innovate has had zero HIPAA violations, which is a testament to our commitment to our clients and compliance standards. As a direct mail marketing company that works with clients in the health care and insurance industry, we place the utmost priority on keeping data and documents protected.

A health care provider uses a computer in a hospital room. A patient and doctor are in the background.
Insurance companies and health-care providers must follow protocols to ensure patients’ private data is protected.

How Our HITRUST Compliance Protects Our Clients

A cyberattack happens every 39 seconds, equaling at least 2,244 hacking attempts per day.

In 2022, data breaches from business associates exposed almost 26 million healthcare records, which, for the first time, surpassed the number of records exposed at healthcare providers.

This disturbing fact illustrates why earning HITRUST certification is such an important accomplishment. More than 84 percent of health plans and organizations (covered entities) use the HITRUST Common Security Framework, but very few business associates take the extra steps to achieve the certification. Even fewer of those associates are direct mail marketing agencies. 

Phoenix Innovate remains one of very few direct mail marketing companies with HITRUST certification.

Our certification process began with a comprehensive internal audit, where we identified each potential threat to our data’s security and enacted checks and balances to protect that data. A third-party verification made sure we didn’t miss any weak links. After that, the common security framework representatives conducted their own review of our risk management. Compliance officers examined every step of our data reporting and management over the course of several visits to our office and warehouse. We then dedicated many months to proving our compliance by showing that our policies were effective against potential data breaches and hacking. 

After validation by the assessors, we earned our HITRUST certification in February 2022.

Complying with HITRUST protocols is essential to keeping our clients’ data safe, and our certification demonstrates our commitment to protecting the people and businesses in our communities. No matter what industry our clients are from, the PI team will continue to live up to the principles and practices of HITRUST’s guidelines by giving every client’s data the utmost protection.

Contact us to learn more about our HITRUST standards and marketing solutions.

Read our case studies to see how HITRUST and HIPAA standards have had a positive impact on our health care and insurance clients.

  • Elevance Health, the largest health company in the Blue Cross Blue Shield Association, was looking to scale up the number of programs we supported in order to optimize their extensive direct mail program. To address their challenges, we created a web-based platform, known as Inform247—HITRUST Certified, that handles sensitive data securely and significantly reduces “touches” by our clients’ staff – which helps to reduce the possibility of HIPAA violations.
  • We helped a national health insurance provider find a solution for its member communications, including direct mail packages in multiple languages. Previous vendors failed to meet deadlines without HIPAA violations. After we employed our rigorous, process-oriented approach while using technology to protect PHI, every job has been delivered on time for more than 12 years, all with no HIPAA violations.
John Holloway
John Holloway

Vice President – IT Infrastructure & Security

Phoenix Innovate

LinkedIn logo