Back to Resources | Expert Interviews

cyBARR Chats: HITRUST Edition Part 6: HIPAA vs. HITRUST

September 15, 2021 |



[00:00:00] Christine Falk: Hi everyone. And welcome to episode six of cyBARR Chats. HITRUST edition. Today, we will discuss the difference between HIPAA and HITRUST with HITRUST managers, Swathi West. So Swathi the first off, can you tell us why it’s so important for healthcare organizations to stay vigilant with security and compliance?
[00:00:20] Swathi West: According to healthcare breach reports. At least my big class healthcare data breaches increased by 55% in 2020. Impacting the protected health information of an estimated 26 million people in the United States alone. And with healthcare data breaches costing an average of 7 million, according to IBM organizations cannot afford to be laxed about security and compliance.
Given the challenges and risks faced by the healthcare industry. Protecting its data as more critical than ever. So that’s the reason it is very important for healthcare organizations to stay vigilant with security and compliance.
[00:01:08] Christine Falk: So when it comes to healthcare, security and compliance solutions, we often hear the acronyms HIPAA and HITRUST thrown around. Can you tell us first about HIPAA?
[00:01:16] Swathi West: The health insurance portability and accountability act would just, HIPAA is a federal law passed in 1996 that is designed to protect patient health data. So who’s subject to HIPAA anyway, right? Covered entities are the individuals and organizations that are required to comply with it.
This can include healthcare providers, health insurance companies, healthcare clearing houses, and any business associates off the covered entity that either use or disclose Phi doing the process of providing and receiving quality health care. Health data has to flow from one entity or individual to another.
So if you’ve been to the doctor recently, you can probably visualize the flow. I at least had my annual has done recently. So the nurse tells the doctor about why I came in today. The doctor did an examination, some blood work, and depending on the results and diagnosis gave a prescription. My doctor’s office then sent the prescription information to my pharmacy and my health insurance also got the summary of my visit in order to provide coverage.
So if you see, you know, the date of the health data is flowing from the doctor’s office, do then you know, your pharmacy and then to your health insurance. With so many patient portals and apps, like you’ve seen every day life, my chart, epic, all of my healthcare data today can be floated and available to me.
I would try it. I can just open the phone and I can look at my, you know, my chart. I have all my schedule was my prescription and everything that I have to do for the next visit. So that is the reason because that’s, the information is so readily available electronically to everyone. The HIPAA privacy rule will ensure that Phi is protected throughout that flow by addressing.
When and how individual health information can be used or disclosed. And the HIPAA security rule requires all covered entities to ensure the security, confidentiality, integrity, availability of that electronic, to be, to be secure, to detect, and also protect against security threats. It can be, you know, threats or disclosures.
And to even certify compliance within their workforce. And that’s the reason, you know, HIPAA is very important and that’s the reason we have, uh, we have HIPAA in place for the security and compliance for healthcare. Phi.
[00:04:01] Christine Falk: What about HITRUST?
[00:04:04] Swathi West: HITRUST as an organization of healthcare and information security professionals that was founded to support covered entities and business associates in meeting both security and compliance obligations to do so.
Trust developed and maintained a common security framework, which is CA. So CSF is a cybersecurity framework designed to protect healthcare data and help healthcare organizations comply with regulatory requirements. And HITRUST CSF is globally recognized and is also the most widely adopted security framework in the US healthcare industry.
So as a framework, HITRUST CSF provides organizations with standardized prescriptive controls to be implemented in order to secure health care data and fulfill security and compliance obligations, which would include compliance for other frameworks as well. Just not HIPAA. We have nest PCI CMMC and you name it.
So HITRUST CSF is really all about sure. And a framework that you can use because it is standardized. It is secure and it also provides transparency in the healthcare industry and also establish a stress between an organization and its users and even patients and business partners as well.
[00:05:37] Christine Falk: So what is the difference between HIPAA and HITRUST?
[00:05:40] Swathi West: Industry lingo, the meanings of HIPAA and HITRUST are all very confusing. You know, we have clients like, oh, I’m going to get HIPAA certified while HIPAA is a federal law. HITRUST CSF is a framework that is used to help covered entities, achieve HIPAA compliance and also compliance with other security standards.
Like I mentioned, PCI nest or CMS. It might be helpful to think of HITRUST CSF as a response to the current requirements and even other healthcare security regulations, healthcare organizations, like we discussed, it can be healthcare providers, health insurance companies, healthcare clearinghouses, and any business associates of a covered entity are required by law to comply with it.
And the HITRUST CSF framework allows them to do so by providing a standardized controls that should be implemented for compliance. So just to reiterate, I know this is a lot of information, but you know, think of HIPAA because HIPAA is a federal law. HITRUST CSF is used to get HIPAA compliant.
[00:06:57] Christine Falk: So how will organizations know if HIPAA or HITRUST is the right fit?
[00:07:01] Swathi West: Great question. As you may have noticed everything we’ve discussed so far can be very overwhelming for someone who just started looking into HIPAA or HITRUST, because this is a lot of information and most of dates of numbers. But so I would say for anyone who’s looking into pep or HITRUST, start by contacting a partner like our advisory to discuss if HITRUST or HIPAA is right.
We’ll be happy to talk about your needs and goals, but I think it is always important to start with. Why are you getting, or why do you want to get HIPAA compliant? Or why do you want to ge HITRUST certified? And those are the important discussions that, you know, uh, partners like BARR will be able to navigate through all of those and ask you right questions and, you know, drive you towards a good direction.
So most of the organizations from, you know, from what we’re seeing would be better off with a high to CSF assessment rather than undergoing a compliance. The only reason I say this is because while organizations can not get HIPAA certified HITRUST provides a certification over HIPAA requirements. So that would ultimately deliver greater value to your stakeholders.
So if you’re looking for more value, definitely HITRUST CSF would be something you should look into, do it during your HITRUST CSF assessment, your auditor like BARR advisory. We’ll, you know, we’ll verify controls that wouldn’t be verified during the HIPAA compliance audit, including that can include, uh, mobile computing security or e-commerce or tele working, or a vendor management a little bit in depth.
So although implementing HITRUST CSF is a rigorous process. It automatically helps organizations achieve HIPAA compliance and also reduces overall risk by continuously keeping an eye on all the checkpoints to easily identify security gaps. So you would have a framework that you can adhere to that would get you.
HIPAA, you know, certified HITRUST certified on HIPAA requirements. And also if it would help you with continuous monitoring and continuous improvement, and you could always, you know, get better with your security posture. In addition to HIPAA compliance, the controls implemented with HITRUST CSF can also be mapped to other regulations and framework.
So you could start with HIPAA the first year round, and you’re like, okay. We might, we might want to host a little bit of BCI information or financial information, then we could map the HITRUST controls to your PCI and we can work towards that progress. So that’s the reason, you know, I would say it would be a better assessment compared to a HIPAA compliance audit, because that would help organizations standardized security and compliance.
And it’s a valuable asset to any organization that processes sensitive data.
[00:10:10] Christine Falk: That is such great information. Thank you so much Swathi. We will discuss how you can now easily demonstrate HIPAA compliance and respond to OCR related requests with the new HITRUST MyCSF compliance and recording pack for HIPAA and our next cyBARR Chat.
Thank you so much and have a great day.