HIPAA vs. HITRUST: What’s the Difference?

August 23, 2021 | HITRUST

Healthcare data is an incredibly valuable target to hackers. With major security threats like outdated hospital systems, ransomware attacks, and phishing attempts threatening the healthcare industry, it’s important for healthcare organizations to stay vigilant with security and compliance. According to Bitglass, healthcare data breaches increased by 55% in 2020, impacting the protected health information (PHI) of an estimated 26 million people in the United States. And with healthcare data breaches costing an average of $7.13 million, according to IBM, organizations cannot afford to be lax about security and compliance. 

Given the challenges and risks faced by the healthcare industry, protecting its data is more critical than ever. When it comes to security and compliance solutions, you’ll often hear the acronyms “HIPAA” and “HITRUST” thrown around, but what do those acronyms actually mean? Let’s take a closer look. 

What is HIPAA? 

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed in 1996 that is designed to protect patient health data. 

So who’s subject to HIPAA, anyway? Covered entities are the individuals and organizations that are required to comply with HIPAA. This includes healthcare providers, health insurance companies, healthcare clearinghouses, and any business associates of a covered entity that use or disclose PHI. 

During the process of providing and receiving quality healthcare, health data has to flow from one entity or individual to another. If you’ve been to the doctor recently, you can probably visualize this flow. The nurse tells the doctor about why you came in today, the doctor visits you and perhaps gives you a diagnosis and prescription, your doctor’s office sends your prescription information to a pharmacy, and your health insurance gets a summary of your visit in order to provide coverage. And with patient portals and apps, all of that data can be uploaded and available to you electronically, too. The HIPAA Privacy Rule ensures that PHI is protected throughout that flow of healthcare data by addressing when and how individual health information can be used or disclosed. 

The HIPAA Security Rule requires all covered entities to ensure the security, confidentiality, integrity, and availability of electronic PHI, to detect and protect against security threats, impermissible uses, and disclosures, and to certify compliance within their workforce. 

Now that we’ve covered HIPAA, let’s take a look at how to achieve compliance. 

What is HITRUST? 

The Health Information Trust Alliance (HITRUST) is an organization of healthcare and information security professionals that was founded to support covered entities and business associates in meeting security and compliance obligations. To do so, HITRUST developed and maintains the Common Security Framework (CSF), a cybersecurity framework designed to protect healthcare data and help healthcare organizations comply with regulatory requirements. 

HITRUST CSF is globally recognized, and is the most widely-adopted security framework in the U.S. healthcare industry. As a framework, HITRUST CSF provides organizations with standardized, prescriptive controls to be implemented in order to secure healthcare data and fulfill security and compliance obligations, including compliance with frameworks like HIPAA, NIST, and PCI. 

HITRUST CSF is really all about trust. As a standardized, secure framework, it provides transparency in the healthcare industry and establishes trust between an organization and its users, patients, and business partners. 

What’s the difference?

As industry lingo, the meanings of HIPAA and HITRUST are often confused or misinterpreted. While HIPAA is a federal law, HITRUST CSF is a framework that is used to help covered entities achieve HIPAA compliance and compliance with other security standards like PCI and NIST. It might be helpful to think of HITRUST CSF as a response to HIPAA requirements and other healthcare security regulations. Healthcare organizations are required by law to comply with HIPAA, and the HITRUST CSF framework allows them to do so by providing standardized controls that should be implemented for compliance. 

Most organizations are better off with a HITRUST CSF assessment rather than undergoing a HIPAA compliance audit. While most organizations cannot get HIPAA certified, HITRUST provides a certification over HIPAA requirements, ultimately delivering greater value to stakeholders. During your HITRUST CSF assessment, your auditor will verify controls that wouldn’t be verified during a HIPAA compliance audit, including controls involved with mobile computing security, e-commerce, and vendor management. Although a more rigorous process, implementing HITRUST CSF automatically helps organizations achieve HIPAA compliance and also reduces overall risks by continuously keeping an eye on all checkpoints to easily identify security gaps. 

In addition to HIPAA compliance, the controls implemented with HITRUST CSF can be mapped to other regulations and frameworks, helping your organization standardize security and compliance. Because of this, HITRUST CSF is a valuable asset to any organization that processes sensitive data. 

Ready to discuss if HITRUST CSF is right for your organization? Contact us today, or learn more here.

Let's Talk