Request Information

Request Information

or Call 1.877.459.4347

HITRUST’s Evolution and Important Role in Strengthening HIPAA

HITRUST’s Evolution and Important Role in Strengthening HIPAA
January 11, 2018 / Evolve IP

Excerpts from HITRUST and Cybersecurity 2018: Part 1- Evolution and Adoption

As recently announced, Evolve IP is proud to have achieved the honor of being HITRUST CSF certified. View the HITRUST certification press release here. Certification to the HITRUST Common Security Framework (CSF) affirms that all of Evolve IP’s cloud computing and cloud communications services adhere to the strictest security standards for electronic protected health information (PHI). The reason that HITRUST is a critical component of today’s healthcare conversation is that it focuses on the most important issue facing the industry today: data security. Our 250+ healthcare clients have always received HIPAA compliant cloud services. But HITRUST is in a different class.

HIPAA compliance is certainly very important, but being “compliant” is far different from “providing a culture of data security”.  That’s the difference that HITRUST makes.

To help our clients and all participants in the healthcare community (ranging from covered entities as well as any service providers who touch PHI data) understand the implications of HITRUST, Evolve IP recently hosted a seminar entitled HITRUST and Cybersecurity 2018.  The day’s first keynote speaker was Omar Khawaja, the Chief Information Security Officer (CISO) at Highmark Inc. in Pittsburgh. Below are some excerpts from his keynote address (47 minute video clip) that explain how HITRUST changes the game. Specifically, the excerpts answer the following questions:

  • What problem were you trying to solve when you began thinking about HITRUST?
  • Why is HITRUST a great fit for the security demands of healthcare?
  • How did you decide to start requiring HITRUST certification for your vendors?
  • How and why is support for HITRUST growing?
  • Are your third parties complying with the HITRUST requirement?

What problem were you trying to solve when you began thinking about HITRUST?

I realized that the amount of risk posed by our information that was (being held by business associates) outside of our four walls was significantly greater than the risk posed by what is inside our four walls. That’s simply because of the math. We’ve got probably 10, or 20, or 30 times more of our members’ information that we are sharing with some third party through the course of doing business than that which actually exists within our own four walls. So it’s important for us to have a good security program at Highmark Health, but it’s probably MORE important for us to have a phenomenal strategy for ensuring that our members’ information, and our patients’ information, is just as secure when it leaves our four walls.

We run eight hospitals with about 400 physician offices. We also provide medical vision and dental insurance to customers all over the country. All told we have about 45 million customers across the country who were responsible for. Protecting their information is the thing that keeps me up at night because that is that is my responsibility.

Why is HITRUST a great fit for the security demands of healthcare?

The HITRUST CSF is a risk-based control framework and it actually maps to 20 different compliance requirements and authoritative documents (2 minute video clip). If you’re concerned with PCI, HIPAA/HITECH, various state privacy laws, ISO 27001, NIST, FFIEC requirements and probably about 8 or 10 others, HITRUST essentially harmonizes them. It doesn’t come up with something new, it just takes a lot of those existing compliance requirements and build crosswalks against them.

In order to achieve the HITRUST certification an approved CSF assessor must validate every single control. Further, the recertification happens every two years and upkeep of the control framework is every single year. Consistently, HITRUST has updated the common security framework based on feedback from the industry from the auditors from the assessors and from the government. So it does evolve based on the needs of the industry.

How did you decide to start requiring HITRUST certification for your vendors?

In early 2016 Highmark got together with four other healthcare payers – HCSC, UnitedHealthcare Group, Anthem and Humana – to agree on an approach, because if we do something individually it’s probably not going to be as effective as if we do something as a group. We all decided on three things:

  • We’re going to have our control requirements defined by the HITRUST Common Security Framework (CSF)
  • Controls must be validated by an approved HITRUST assessor, and
  • Our business associates must obtain a HITRUST CSF certification within two years (2018)

In our approach, five large health plans partner together to convey consistent and easy-to-understand requirements. Among us we actually had 7500 third parties that this requirement went out to. The requirement is easy. You just have to go get HITRUST certified (1 minute video clip). The requirements get updated every year. Every two years you have to go get recertified. We don’t have to update our contracts every year just because there’s a new cyber threat out there.

The number one thing I was looking for is that 100% of my third parties have an evidential review of policies and validation of every single security control. I just want 100% of my vendors to be HITRUST certified. Otherwise I don’t feel comfortable going to my customers and saying “trust us, we’re on it.”

How and why is support for HITRUST growing?

  • At this point there’s probably close to 90 or a hundred organizations out there that have done the same thing that the five of us did to begin with: they have now required all of their third parties to be HITRUST certified.
  • Organizations are convinced that HITRUST is here to stay (38 seconds). I can tell you that because I’m now starting to see a lot of demand and growth from the financial services industry. And I’m starting to see it from the technology sector. And for other areas where they aren’t in healthcare. They don’t have protected health information (PHI) but they’re looking at this framework and saying “this is what we want to do” and “this is what we’re going to use.
  • Today we’re seeing it work because organizations are seeing value (35 seconds). In just the month of September my team had three questionnaires that we were able to go back to our customers and say “hey, we’ve got this HITRUST certification. Do you really want us to respond to your questionnaire or would you like the three hundred page report from HITRUST based on an on-site audit that lasted three months. In all three of those cases they said “forget about the questionnaire, just send us the report.” That is value right there.

Are your third parties complying with the HITRUST requirement?

To date the vast majority of our third parties see the value in the approach and have committed to it. There’s one vendor that was escalated to me and I had to have about two or three conversations with them to say “why aren’t you getting HITRUST certified? And if you really aren’t, let me know because then we need to start making plans to stop doing business with you.” Because we were serious. They came back to me in spring of this year and said they are going to go and get HITRUST certified.

I was talking to one of the Fortune 10 technology vendors earlier this year and they said “we have certification A and we have certification B and we have this in terms of our certifications” and I said “but none of them work for healthcare. This (HITRUST) is what you need to do for healthcare (43 seconds). What you’re doing doesn’t really work for me in healthcare. Give me something that works for me. It’s okay if you don’t want to serve the healthcare industry. We can go to a different vendor. But I can tell you that this is the expectation within healthcare.

Contact us today for more information about Evolve IP’s HITRUST certified communications and computing solutions, or about our upcoming educational events.
Categories: Business Continuity & Disaster Recovery Healthcare
Recommended For You
The Evolve IP Compliance CloudTM

Compliance is a way to do business … not an afterthought when clients need it.

At Evolve IP we have a dedicated compliance and security practice and work with two of the world’s top 3rd-party compliance auditors, Grant Thornton and Ernst & Young, to enable customers to extend their compliance to our fully audited cloud. This focus allows us to deliver the documentation and assurances that other’s simply cannot including HIPAA / HITRUST, PCI-DSS (all 12 sections), SOC 2/3 and more. The Compliance CloudTM includes true client isolation, encryption in transit and at rest, private VLANs, firewalls and dozens of other security measures.

What Our Clients Say
  • "Yesterday was, perhaps, my busiest day of client interaction either by phone or email since I have been a PM, and I don’t think any of my clients knew I was working from home unless I told them. I was also able to do trades behind the scene and interact with my team. So, for me, the technology has been working great. As an old guy, I am constantly dazzled by technology in general, but being able to do this stuff from home is amazing!"

    James C. Hunter, CFA, CFP, AIF, Senior Portfolio Manager, Principal

  • "Hey, IT people, As I’m working away in my home office, I just wanted to say thanks to you for all you’re doing, and have done in the past, to make it possible for us to run our company virtually. Not many of us JICers have jobs that everyone in the firm sees and could stop us from doing business. But you have this job, and do it well. Thank you for having the foresight and wisdom to get us in a position to succeed in a pandemic! You’re awesome."

    Michael D. Barnes, Esq., CTFA President, Principal

  • “That’s the type of proposition I like to bring to a Board of Directors. When I can say, ‘we can get everything new, be completely redundant, it can meet all of our needs and oh, by the way, we are going to save over $300,000 a year.’ It makes it easy for me to sell!”

    - Ken Schultz, CIO Ogletree Deakins

    Watch Testimonial

  • "The people that Evolve IP are more personable; you don't feel like there's necessarily a script when you're talking with them, they’re easy to understand, quick to get a hold of, and they follow through on what they say they're going to do."

    Watch Testimonial

  • "Evolve IP has been a vendor partner that has grown with us, that has helped us, and that you know stands by us and stands by their word."

    Watch Testimonial

What the Experts Think

Our analyst-acclaimed solutions are built on a world-class, compliant architecture that leverages the blue-chip technologies organizations already know and trust.


We deploy best-of-breed solutions including: Disaster Recovery, Contact Center, Unified Communications, DaaS, IaaS. Our services are analyst-acclaimed, vendor-validated, client recommended and award-winning.


Evolve IP is proud to have achieved the honor of being HITRUST CSF certified! Certification to the HITRUST Common Security Framework (CSF) affirms that all of Evolve IP’s cloud computing and cloud communications services adhere to the strictest security standards for electronic protected health information (PHI). The HITRUST security standard was developed by and for the healthcare industry as a means of going above and beyond the compliance requirements of HIPAA.

The HITRUST Common Security Framework (CSF) was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations. The HITRUST CSF was developed by healthcare and IT professionals to provide an efficient and prescriptive framework for managing the security requirements inherent in HIPAA. HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework. An important part of the “What is HITRUST” answer is understanding that the CSF is risk-based and compliance-based so that organizations can tailor the security control baselines and vendor management programs that they follow based on their specific organization type, size, systems, and regulatory requirements.


The Privacy regulations of the U.S. Health Insurance Portability and Accountability Act (HIPAA) require health care providers, organizations, and their business associates, develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI — paper, oral, and electronic, etc. Those who fail to adhere to HIPAA can suffer from huge fines climbing into the millions of dollars for major violations.

The Compliance Cloud™ fully enables covered entities and their business associates subject to HIPAA regulations to leverage a secure environment to process, maintain, and store protected health Information (PHI) featuring among other controls.

SSAW 16 Service Organization Control II (SOC 2)

Evolve IP has received an SSAE 16 SOC 2 Type II report on our internal controls relating to how we assess and address the potential risks associated with the security, availability, and confidentiality of not only the cloud-based services that we provide, but also our physical and logical infrastructure. Evolve IP utilizes the Certified Public Accounting firm of Grant Thornton to perform its annual audit and attestation in accordance with the Statements on Standards for Attestation Engagements No. 16 and the associated Trust Services Principles, as published by the AICPA, to evaluate the effectiveness of Evolve IP’s service organizations controls.


While Forbes regularly features coverage and recognition about Evolve IP, they've most recently recognized Evolve IP as being the "Best Cloud Computing Companies And CEOs To Work For In 2017".  They've ranked Evolve IP in the Top 3 just behind Google and Microsoft in the Cloud Infrastructure classification.  (Feb 2017). Forbes  also recently recognizes Evolve IP for bringing Singer Equipment Corporation, a mainstream business based in PA, into the cloud by means of unified communication. (Sept  2017). Last year, Forbes recognized Evolve IP's survey of 1,080 executives citing that the number one reason to go to the cloud is the same reason that it is avoided. (Mar 2016).

Unified Communications Product of the Year

TMC and Internet Telephony Magazine have named Evolve IP’s unified communications platform as a 2017 Unified Communications Product of the Year Award winner. This marks the 6th time Evolve IP has been honored with this prestigious award and follows a series of product innovations that have allowed the company to rapidly expand its international coverage.

Evolve IP’s business collaboration tools and IP phone system dramatically improve employee productivity in the office and on the road with a Unified Communications as a Service (UCaaS) platform that fully integrates voice, video, instant messaging & presence (IM&P), desktop sharing, audio/web conferencing and more. The company also provides a sophisticated Web-based management portal, OSSmosis®, that allows administrators to easily configure system functions and quickly modify users without the need to reach out to a third party for changes.


Inc. magazine has recognized Evolve IP in the 34th annual Inc. 500|5000, an exclusive listing of the nation's fastest-growing private companies. The list will be unveiled in the September issue of Inc.

The story of this year's Inc. 5000 is the story of great leadership. In an incredibly competitive business landscape, it takes something extraordinary to take your company to the top," says Inc. President and Editor-In-Chief Eric Schurenberg. "You have to remember that the average company on the Inc. 5000 grew nearly six-fold since 2012. Business owners don't achieve that kind of success by accident.

Payment Card Industry Data Security Standard (PCI DSS)

Evolve IP has achieved Payment Card Industry (PCI) Data Security Standard (DSS) compliance covering all 12 sections of the PCI DSS. The PCI data security standard is a comprehensive set of standards that require merchants and service providers that store, process, or transmit customer payment card data to adhere to strict information security controls and processes. It was created by the founding brands of the PCI Security Standards Council, which includes American Express, Discover Financial, JCB International, MasterCard Worldwide, and Visa Inc.


Evolve IP is also a registered and participating member of the CSA Security, Trust & Assurance Registry (STAR). The CSA was formed to encourage transparency of security practices within cloud providers. It is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. CSA STAR is open to all cloud providers, and allows them to submit assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.

Deloitte’s Technology Fast 500TM

Evolve IP has been ranked for the second consecutive year on Deloitte’s Technology Fast 500™, a ranking of the 500 fastest growing technology, media, telecommunications, life sciences and energy tech companies in North America – both public and private. Technology Fast 500 award winners are selected based on percentage fiscal year revenue growth from 2012 to 2015. The list is a veritable Who’s Who of technology that has included tech companies like Google, VMware and Facebook.

Technology Fast 500 provides a ranking of the fastest growing technology, life sciences, and energy the companies – both public and private – in North America. Technology Fast 500 award winners are selected based on percentage fiscal year revenue growth during the period from 2012 – 2016.

Red Herring

Red Herring has named Evolve IP as one of the Top 100 Companies in North America.  Red Herring’s Top 100 recognizes the leading and most promising private companies from around the world. Among the over 20 criteria used to analyze companies for the award, Evolve IP was noted for its financial performance, technological innovation, customer footprint, the DNA of its founders and addressable market.

Red Herring selects the award winners for North America from approximately 1,200 privately financed companies each year in the US and Canada. Since 1996, Red Herring has kept tabs on these organizations and its editors were among the first to recognize that companies such as Facebook, Twitter, Google, Yahoo, Skype,, YouTube, Palo Alto Networks and eBay would change the way we live and work.


Evolve IP has been recognized as one of the “Best Entrepreneurial Companies in America” in Entrepreneur magazine’s Entrepreneur360™ Performance Index, a study involving a comprehensive analysis of private companies in America. Based on this study forged by Entrepreneur, Evolve IP is recognized as a company that exemplifies growth, not just in top and bottom line, but in sustainability and the ability to achieve lasting success.

According to Entrepreneur, after evaluating approximately 10,000 U.S. based firms, the team of editors and researchers behind the E360 Performance Index collected more than 250 pieces of data from the finalists, focusing on growth drivers and challenges, goal setting, resource allocations, and reward systems. The analysis uncovered a class of leading companies, including Evolve IP, whose continued success is largely based on superior value creation for their customers, building an adaptive learning culture, and aggressive geographic expansion—placing them amongst the most dynamic firms in America today.

Latest Press Releases

Evolve IP Named To The Gartner Magic Quadrant for Contact Center as a Service
November 16, 2020 / Evolve IP
Evolve IP today announced that Gartner has named it to the Magic Quadrant for Contact Center as a Service*. Evolve IP’s omnichannel offering, which runs 30-40% less than comparable...
Evolve IP Appoints Pete Stevenson as CEO and Randal Thompson as CRO to Drive Next Phase of Growth
October 16, 2020 / Evolve IP
Evolve IP, a leading global provider of Work Anywhere™ solutions, today announced that the Company’s Board of Directors has unanimously appointed board member Pete Stevenson as Chief Executive Officer....
Evolve IP Enhances Its Microsoft Teams and Cisco Voice Direct Routing Platform
September 22, 2020 / Evolve IP
Evolve IP announced that it has integrated SMS business messaging and voice recording with AI speech analytics into its Microsoft Teams direct routing platform.
Evolve IP Integrates Business Messaging Into Microsoft Teams; Enhances Microsoft’s Direct Routing Solution
September 17, 2020 / Evolve IP
Evolve IP® announced that it has launched a fully-integrated SMS / business messaging platform for its Microsoft Teams Direct Routing solution.
View More

Contact Us

or Call 1.877.459.4347