HITRUST vs HIPAA: What is a HIPAA HITRUST Certification?

Quick Hits 

• HIPAA is a law created to protect citizens’ protected health information. Every organization that uses or discloses health information must be compliant with HIPAA.  
• HITRUST is an organization that offers the HITRUST Certification Standard Framework (CSF) to certify that organizations are implementing proper security measures for healthcare data. 
• HITRUST can help companies achieve HIPAA compliance by analyzing the organization’s data security practices in depth.  

HIPAA (the Health Insurance Portability and Accountability Act) and HITRUST (the Health Information Trust Alliance) are terms often used when discussing privacy and data security compliance, but they should never be used synonymously. HIPAA is a US law that defines terms of compliance, while HITRUST is an organization that can help companies reach HIPAA compliance. To better understand how these terms interact, let’s first take a look at them individually and then examine how the HITRUST organization can help a company with HIPAA compliance. 

What is HIPAA? 

HIPAA (Health Insurance Portability and Accountability Act) is a US law that outlines guidelines to protect citizens’ protected health information (PHI). HIPAA focuses on both data privacy and data security.  

The HIPAA Privacy Rule outlines requirements for how to keep patient information private. It sets guidelines for how data can be used or disclosed with express consent and the few ways data can be used without consent. The following situations allow health information to be used or disclosed without individual authorization: 

• When the information is being disclosed to the individual themselves 
• When the information is needed for treatment, payment, or other healthcare operations 
• When the information is used to give an individual the opportunity to agree or object to the disclosure of their PHI 
• When the information is connected to a permitted use or disclosure 
• When the information is being used for a defined public interest, like health oversight, judicial proceedings, or helping victims of domestic violence 

Other than the exceptions outlined by HIPAA, individual consent is required for all use or disclosure of personal information. 

The HIPAA Security Rule covers the requirements to protect an individual’s electronic protected health information (ePHI). Safeguards include technical and physical security requirements as well as changes to administrative practices. To comply with the security rule, all entities must: 

• Ensure all ePHI is  confidential, available, and lacks corruption  
• Identify threats to information security and defend against the identified threats 
• Protect data against unauthorized or illegal use and disclosure 
• Certify employee compliance across the board 

These rules seek to secure all ePHI from both intentional and unintentional misuse which could lead to a violation of HIPAA and hefty fines.

What is HITRUST? 

HIPPA Compliance can be complicated, but it is essential for any organization that interacts with health information. HITRUST was founded in 2007 to provide risk management and compliance support for many organizations, especially health organizations. Obtaining a HITRUST Certification Standard Framework (CSF) shows that an organization has implemented extensive measures to protect sensitive information.  

HITRUST provides healthcare organizations, or organizations that interact with healthcare information, options to manage risk. Using prescriptive requirements, the CSF helps organizations with compliance standards like HIPAA, GDPR, and PCI DSS. Organizations can add the standards they need to be compliant with to the scope of the HITRUST certification they seek to obtain.

HITRUST & HIPAA Compliance 

While maintaining HIPAA compliance is important, there is not an official framework for companies to follow. HITRUST’s framework, then, is an incredibly helpful tool for companies looking for guidance.  

The prescriptive requirements of the HITRUST CSF can help an organization demonstrate HIPAA compliance. HITRUST offers an integrated approach to managing risk that keeps up with evolving threats. Because of this, more than 80% of hospitals and health insurers use HITRUST to achieve HIPAA compliance.  

A HITRUST certification isn’t a guarantee of HIPAA compliance, however, the HITRUST certification process helps organizations maintain the level of security they need to attain HIPAA compliance.  

Obtaining a HITRUST Certification is an expensive process, which is why many smaller companies will opt for a HIPAA self-assessment to attain HIPAA compliance. For the companies that find HITRUST’s framework helpful, they can expect to pay anywhere from $40,000 a year to $250,000 a year for a certification that will last them two years (if they pass their interim assessment). 

Basics of the HITRUST CSF (Common Security Framework) 

It’s important to note that the HITRUST CSF is a security assessment and as such cannot certify a company’s privacy. HITRUST examines policy, procedure, implementation, measurement, and management practices in 19 crucial security “domains:”

• Information Protection Program 
• Network Protection 
• Incident Management 
• Endpoint Protection 
• Transmission Protection 
• Business Continuity and Disaster Recovery 
• Portable Media Security 
• Password Management 
• Risk Management 
• Mobile Device Security 
• Access Control 
• Physical and Environmental Security 
• Wireless Security 
• Audit Logging and Monitoring 
• Data Protection and Privacy 
• Configuration Management 
• Education, Training, and Awareness 
• Vulnerability Management 
• Third-Party Assurance 

These domains are broken into security controls, which will vary based on how many controls are in scope for the assessment. More records in an organization’s scope will mean more controls. This makes compliance even more costly for larger healthcare or insurance organizations that use or store millions of patient records. 

HIPAA is a regulation, which is essential to follow. However, you can never be “HIPAA Certified,” just HIPAA compliant or incompliant. If you’re looking for an in-depth certification process that can identify security threats and help with HIPAA compliance, HITRUST may be a valuable investment for your organization. However, it is not necessary for HIPAA compliance, and many organizations will forgo the hassle for the less costly HIPAA self-assessment.