HIPAA and HITRUST are often used interchangeably. Both are risk management frameworks commonly used in healthcare for data security and privacy. While the two are related, they’re not the same thing.
In this article we’ll compare HIPAA and HITRUST so you can understand when to apply one versus the other.
What are HIPAA and HITRUST?
The Health Information Portability and Accountability Act, or HIPAA, is a government mandated regulation outlining how organizations that deal with protected health information (PHI) must store, process, and transmit this data. Enacted by the United States federal government in 1996, the law was intended to improve the efficiency and effectiveness of the healthcare system, while also maintaining the privacy and integrity of patient health information. HITECH (Health Information Technology for Economic and Clinical Health) was enacted in 2009 and was meant to build on and strengthen HIPAA.
HITRUST stands for Health Information Trust, which is a private organization that was founded in 2007 and is dedicated to providing solutions to help ensure the security and privacy of sensitive data across digital systems and third-party supply chains. Though not affiliated with the federal government in any way, its well-known, proprietary security and risk management framework, the HITRUST Common Security Framework, or CSF, has been widely adopted by healthcare organizations, as well as other industries, across the public and private sectors. It’s considered the gold standard in healthcare data security.
What’s the Difference Between HIPAA and HITRUST?
The main difference is that HIPAA is a government mandated requirement while HITRUST is a third-party solution. HIPAA is a set of general rules that organizations must interpret, while HITRUST is very prescriptive. HITRUST is more comprehensive than HIPAA, as it contains the requirements of HIPAA as well as multiple regulations. In other words, HIPAA is a part of HITRUST, but HITRUST is not a part of HIPAA.
Here are the ten key differences between HIPAA and HITRUST.
1. HIPAA is required by law.
HIPAA was enacted by the United States Congress. It’s required by law. Any company that generates, stores, or transmits protected health information (PHI), such as healthcare providers, payers, clearinghouses, health information exchanges and networks, and business associates is subject to meet HIPAA benchmarks or potentially face steep fines.
HITRUST is not required by law. However, 81% of hospitals and 83% of health payers have adopted the framework. Though not required by the US government, many organizations in the healthcare space require it of their vendors.
2. There is no HIPAA certification.
The problem with HIPAA is it’s not certifiable, so anyone can claim to be HIPAA-compliant. In fact, one study found that only 72% of healthcare providers actually conform with HIPAA benchmarks completely. That potentially puts PHI at risk, and puts the burden of the audit directly on clients.
HITRUST is a third-party verified certification that provides evidence that an organization has met the highest data security standards. If you see a HITRUST certified badge on an organization’s website, you can be assured this organization takes security very seriously.
3. HIPAA is not regularly audited by a third party.
The Office of Civil Rights (OCR) periodically audits HIPAA-covered entities and business associates, but the likelihood that any one organization will be selected is small, unless there’s been complaints. If you want to verify the HIPAA compliance of a potential business partner, the due diligence responsibilities fall on you.
HITRUST, on the other hand, requires a full audit every other year to maintain status, as well as a mini, interim audit every other year between those. Rest assured a certified organization’s security postures that are up to date.
4. HITRUST is more comprehensive than HIPAA.
The HITRUST CSF covers over 1200 controls, or policies, each of which can be mapped to over 40 compliance and regulatory frameworks across varying industries such as HIPAA, ISO, NIST, GDPR, and more. It was designed this way to help organizations more easily achieve multiple compliance attestations simultaneously.
HIPAA, on the other hand, only covers HIPAA policies. Though there will be some overlap with other regulatory frameworks, the HIPAA framework was not written with other frameworks in mind.
The HITRUST CSF can be mapped to over 40 regulatory and compliance frameworks across varying industries.
5. HITRUST is flexible and tailored to each company.
HITRUST offers three levels of assessments, each with varying degrees of difficulty and prestige, that companies can leverage based on which level of assurance makes sense for them.
The HITRUST r2 assessment, the most rigorous assessment, is also flexible. For every company pursuing the CSF r2 distinction, the assessment will be tailored to fit the company based on things like overall risk profile and how the company interacts with PHI. For example, one company pursuing CSF r2 could have 213 controls in their assessment while another company could have more than 800.
6. HITRUST is more prescriptive.
HIPAA consists of five rules that organizations must interpret in order to figure out the best way to apply it to their environment. This can cause confusion, as not everyone will always agree on best practices.
HITRUST is very prescriptive. The CSF consists of 49 control objectives and 156 control specifications that detail the specific tasks teams need to perform to achieve those objectives.
7. HITRUST is a comprehensive solution.
HITRUST is more than just a security framework. The HITRUST solution includes a software solution, myCSF, which allows organizations to streamline audits and assessments and map policies to multiple regulatory frameworks.
In other words, HITRUST is a tool that can be used to achieve and report on HIPAA and other compliance, while HIPAA is just a compliance framework.
8. HITRUST is expensive.
Obtaining HITRUST certification can be an incredibly expensive process. You have to pay fees to HITRUST to license the intellectual property and the software solution, and you have to pay a third-party HITRUST assessor to conduct the validated assessment.
HIPAA is free, but that’s because it’s a law, not a solution with benefits. As the old saying goes, you get what you pay for.
9. HITRUST provides more benefits.
HITRUST provides more comprehensive security as well as additional benefits such as increased marketability of your product, a simpler way to manage multiple compliance regulations, and reduced third-party risk. With HITRUST, you can minimize your security risk while signaling your security stature to the market.
10. HIPAA is only for healthcare.
HITRUST was designed originally for the healthcare industry, but in 2019 HITRUST updated the framework to make it industry agnostic by incorporating regulatory standards not specific to healthcare and reworking the framework so that HIPAA is no longer the focal point, but rather just one piece of a robust compliance system. This makes HITRUST valuable and relevant to anyone managing data security and compliance across industries.
Similarities Between HIPAA and HITRUST
Both HIPAA and HITRUST are compliance frameworks that provide guidance for helping healthcare organizations achieve data security, ensure patient privacy, and engage in appropriate data sharing for clinical and care operations purposes. They both outline how to store and manage PHI. The main difference is that HIPAA is a law and HITRUST is a tool.
HIPAA and HITRUST Pros and Cons
HIPAA mandates the use of standard formats for electronic transactions such as claims, eligibility inquiries, and payment remittances. This standardization helps streamline administrative tasks, reduce manual errors, and improve communication between healthcare providers, payers, and other entities, ultimately increasing clinical efficiency.
HIPAA outlines how to properly store and manage data in order to maintain patient privacy while enabling access for care providers, insurers, and necessary individuals for clinical operations purposes.
Adherence to HIPAA regulations assists organizations in safeguarding PHI against improper exposure and theft. This protects patients and also businesses from the reputation damage and fees that are a consequence of successful cyber attacks. Organizations that are compliant with HIPAA are better equipped to manage and mitigate cybersecurity threats and investigate incidents.
Since there’s no HIPAA certification anyone can claim to be HIPAA compliant. In fact, one study found that 25% of HIPAA covered entities fail to meet HIPAA benchmarks in one way or another.
Without a certification, potential clients are left with the burden of auditing vendors themselves – an exhaustingly time-consuming process – or they risk exposing sensitive data to malicious threats.
Vague and interpretive
Some aspects of HIPAA can be open to interpretation, requiring organizations to make judgments on how to best implement the rules to protect PHI. This can lead to confusion and differing opinions on the best ways to meet the requirements.
The OCR continually updates HIPAA to keep up with evolving threats and changing technology, so organizations must stay up to date with the changes or risk non compliance.
Reduced security risk
According to the OCR, HIPAA breaches increased by 39% in a recent three-year period. HITRUST is the gold standard for health information security and significantly reduces your risk of a breach and minimizes the potential for damage.
Many healthcare organizations require certification of their vendors. Being certified will give you the edge on non-certified competitors.
Reduced cybersecurity insurance premiums
Due to the reputation enjoyed by HITRUST certification, certified companies can lower their insurance premiums and may be able to increase their benefit limits.
Accelerated sales cycles
Tired of filling out security questionnaires in order to prove security competency to potential customers? HITRUST certification reduces this type of scrutiny by 99%. Backed by HITRUST’s prestigious reputation, you can more easily win over Security personnel during sales cycles and close deals faster.
Simplified compliance management
Because the CSF encompasses so many regulatory frameworks, organizations can use it to attest to multiple regulations in one foul swoop. “Assess once, report many” is what HITRUST likes to say.
Easily manage third-party risk
Becoming HITRUST certified allows you to take advantage of the HITRUST Third-Party Assurance Program, which helps organizations reduce the time, money, and resources spent on evaluating third-parties for business relationships.
HITRUST costs in the range of $40K to $160K, depending on a company’s risk factors and which HITRUST assessment they choose to pursue.
The upfront expenses involved in HITRUST are not the only costs to organizations. HITRUST is disruptive. It takes employees away from their day-to-day tasks, causing other projects and initiatives to slow or get completely dropped. The opportunity cost of the diverted resources is arguably the most prominent cost involved in HITRUST certification.
Requires on-going oversight
HITRUSt is not a final destination, it’s an ongoing initiative to maintain. While it does provide a solution for consolidating multiple compliance cycles into one, it’s a system that requires ongoing maintenance and optimization, with a regular cadence of reassessments and interim assessments.
HIPAA vs HITRUST. Which one’s better?
They’re different. HIPAA is a law and HITRUST is a solution. Overall, HITRUST is more comprehensive and provides more value to the user, such as more prescriptive compliance guidance, increased product marketability, and minimized securing risk.
HIPAA or HITRUST: Frequently Asked Questions
Does HITRUST cover HIPAA?
Short answer: yes. The CSF includes requirements from multiple compliance frameworks across industries. Organizations can use the CSF to signal compliance with HIPAA and other industry standards.
Does HITRUST replace HIPAA?
No. HITRUST does not replace HIPAA, but it can provide a prescriptive system to enable organizations to meet HIPAA guidelines. Organizations that deal with PHI still need to ensure they’re compliant with HIPAA rules, but HITRUST is one solution to help them achieve that.
How does HITECH relate to HIPAA?
HIPAA was enacted in 1996 before widespread adoption of electronic health record (EHR) systems. HITECH (Health Information Technology for Economic and Clinical Health) was passed in 2009 and was written to address the use of EHRs and associated technologies. HITECH was intended to update and strengthen the privacy and security provisions of HIPAA and make them more applicable to the modern age. That’s why you’ll often see HIPAA/HITECH written together.
When is HITRUST required?
HITRUST is never required by law, but many payers and providers require it of their vendors. In fact, in 2016 five prominent payers issued a letter instructing their business associates to obtain HITRUST certification within two years. Presently, over 90 payers and other firms in the healthcare sector mandate their third-party service provider to have HITRUST certification.
How does HITRUST handle the HIPAA enforcement rule?
HITRUST does not handle the HIPAA enforcement rule directly, but it provides a framework that incorporates the HIPAA Security Rule and other regulations to help organizations achieve compliance and manage risk.
How much does HITRUST Certification cost?
The total for direct costs for HITRUST is anywhere from $40K-$160K, depending on your organizations risk profile. But this does not include indirect costs felt by your organization
Read the blog: What's the Cost of HITRUST Certification?
What standards does HITRUST cover?
HITRUST covers the standards of over 40 regulatory frameworks, called authoritative sources, including HIPAA/HITECH, SOC 2, NIST, ISO, COBIT, PCI, GDPR, FISMA, FTC, and more.
How many HITRUST controls are there?
As of the latest release of HITRUST v11, which was was released January 18, 2023, the three HITRUST assessments contain:
◆e1 assessment = 44 requirement statements
◆i1 assessment = 182 requirement statements (includes the 44 from the e1)
◆r2 assessment = 213 – 2000+ dependent on the scope and risk factors (includes the 182 i1 requirement statements as a baseline)
How Cloudticity Accelerates HITRUST Certification
Cloudticity is one of the very few vendors to be certified by HITRUST as a HITRUST inheritance provider, meaning we can accelerate the HITRUST certification process by 40-60% with our managed cloud services solutions for healthcare. By inheriting hundreds of HITRUST controls we’ve already met, organizations can reduce the time, money, and resources spent on achieving and maintaining HITRUST certification.