HIPAA and HITRUST are sometimes seen as being the same thing. While the two entities are related, they are not identical. HIPAA is a regulatory framework that defines how healthcare organizations need to safeguard protected health information (PHI), and HITRUST certification is a third-party certification that verifies the necessary security measures have been implemented and maintained.
It’s important to understand the role of HIPAA and HITRUST and the relationship between the two. This knowledge can bolster your company’s ability to remain compliant with evolving standards and help you simplify compliance management going forward.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. The Act’s objective is to protect medical records and other personal health information. It applies to all organizations that process and store PHI, including healthcare providers, clearinghouses, health plans, health information exchanges, and business associates.
While HIPAA defines the safeguards required to protect PHI, there is no official HIPAA certification stating an organization is in compliance. Entities operating in the healthcare field may think they are compliant when they’re actually not.
Adding further complexities to managing HIPAA compliance, the HIPAA standard is ever evolving. The requirements may be different next year than they were this year, making HIPAA a moving target for compliance teams.
What is HITRUST?
The Health Information Trust Alliance, or HITRUST Alliance, is an organization formed in 2007 with the intent of helping organizations manage data, information risk, and compliance. While it is widely associated with the healthcare industry, HITRUST certification can be used to demonstrate compliance in other regulated market sectors.
HITRUST is a privately held entity that helps organizations achieve compliance standards with HITRUST’s common security framework (CSF). The CSF consists of over 1800 controls and provides a comprehensive, standardized, and certifiable framework for efficiently complying with HIPAA, as well as other regulatory standards.
HITRUST vs HIPAA
While HIPAA and HITRUST are both important pieces of the healthcare security and compliance story, the terms are not interchangeable. They work in tandem to promote a greater emphasis on protecting the security and privacy of PHI. Let’s look at how these two entities compare in a variety of aspects.
The purpose of HIPAA vs HITRUST
HIPAA was developed to protect patients by ensuring the privacy and security of PHI. HITRUST was developed to help organizations implement and demonstrate compliance with the regulations defined in HIPAA, as well as other standards such as ISO, NIST, PCI and FISMA.
Costs of HIPAA vs HITRUST
Organizations must invest in the necessary staff and tools to comply with HIPAA, but there are no direct costs to the regulatory body. In contrast, HITRUST certification is very expensive. Companies obtaining HITRUST certification must pay direct fees to both the HITRUST Alliance and their chosen HITRUST Assessor.
These costs vary from business to business based on a company’s individual risk profile and can range from around $60K to $285K. In addition, since HITRUST requires a re-certification every 2 years, there will be ongoing fees associated with maintaining HITRUST certification.
HIPAA vs HITRUST noncompliance penalties
Substantial penalties can be levied against organizations that are found to be non-compliant with HIPAA regulations. Violations are categorized in tiers that reflect the severity of a data breach and the attempts an organization has made to address its security shortcomings. The penalties for each tier are:
- Tier 1: Minimum fine of $100 per violation up to $50,000
- Tier 2: Minimum fine of $1,000 per violation up to $50,000
- Tier 3: Minimum fine of $10,000 per violation up to $50,000
- Tier 4: Minimum fine of $50,000 per violation
In contrast, since organizations voluntarily seek HITRUST certification there are no non-compliance penalties associated with HITRUST.
Mandatory implementation of HIPAA vs HITRUST
Any businesses that process and store PHI are required to comply with HIPAA regulatory standards. Obtaining HITRUST certification is not mandatory, but lack of certification can be viewed negatively by many healthcare organizations like hospital systems and health plans. For example, if your company is not HITRUST certified and your competitor is, they will automatically be perceived as better than you.
The Benefits of HITRUST Certification
The problem with HIPAA is that there is no HIPAA certification, so any company can claim to be HIPAA compliant. In fact, one study showed that 25% of healthcare companies that claimed to meet HIPAA benchmarks actually failed to be compliant. With no official way to prove adherence to the HIPAA framework, HITRUST offers a third-party validated certification that allows organizations to prove their compliance with HIPAA and other frameworks.
Other benefits of HITRUST certification include:
Reduced risk of a breach
With the healthcare industry accounting for 79% of data breaches, it’s critical that PHI be protected with multiple layers of privacy policies. The HITRUST framework is the gold standard in healthcare information security and includes robust policies for protecting PHI.
Reduced cybersecurity insurance premiums
Due to the reputation enjoyed by HITRUST certification, certified companies can lower their insurance premiums and may be able to increase their benefit limits.
Increased product marketability
Certification is becoming a prerequisite for companies intent on entering the healthcare industry. Many of the major healthcare organizations in the U.S. will not work with vendors who are not HITRUST certified.
Managing evolving HIPAA guidelines
HIPAA is a large and complex Act that is constantly evolving to address the changing information technology landscape. The HITRUST CSF provides organizations with a streamlined process for keeping up with these changes without expending an inordinate amount of internal resources.
Why Choose HITRUST for HIPAA Compliance?
Healthcare organizations subject to HIPAA compliance need to address the administrative, physical, and technical safeguards defined in the regulations. They also need to be able to demonstrate their compliance to outside auditors.
HITRUST provides a framework for achieving, maintaining, and proving HIPAA compliance.
HITRUST certification is considered the gold standard in health information security because of its reputation across the industry and the multiple benefits it offers companies. Other forms of auditing and assessment for HIPAA compliance do not provide organizations with the same level of protection. HITRUST is considered superior to the NIST and SOC 2 security frameworks.
In addition, HITRUST allows you to consolidate multiple compliance activities that would otherwise be separate tasks. So if your organization has multiple compliance cycles for other regulations like PCI and ISO, you can streamline that into one HITRUST compliance workflow, reducing the work needed to maintain compliance.
The Challenges of HITRUST Certification
With all the rigor of the certification process, it’s no wonder that meeting HITRUST guidelines is as daunting as it is differentiating. For organizations starting out on the path to certification, the sheer scope and scale of the timeline can be a risk in and of itself.
No matter the size, specialties, or experience of your team, achieving HITRUST certification without an expert partner to guide you can be daunting. Especially if your business attempts to take on HITRUST alone, the process can cost you immensely in terms of:
- Time: Without the guidance of experienced HITRUST experts, the certification process can take months to years.
- Resources: Certification requires substantial internal resources, distracting your team and diverting energy from innovation and growth.
- Price/budget: HITRUST is an investment with an immense ROI. However, that investment can balloon (and the benefits shrink accordingly) when inexperienced teams are charged with attaining certification, because invariably errors occur, timelines are extended, and valuable resources are wasted.
The Cloud Accelerates HITRUST
Because cloud compliance is a shared responsibility with the cloud provider, utilizing public clouds like Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) can accelerate your path to HITRUST. Public cloud providers have already met many HITRUST guidelines and you can simply inherit adherence to those guidelines by using their platforms, reducing the work needed to achieve compliance with the HITRUST framework.
Another way to accelerate HITRUST further is to partner with a managed service provider (MSP) that is part of HITRUST’s inheritance partner program, like Cloudticity. Cloudticity provides 357 inheritable and partially inheritable controls that can be put toward your HITRUST certification, reducing your timeline by up to 50% in some cases (learn more here).
Why choose HITRUST for HIPAA compliance?
HITRUST provides a trusted and proven framework allowing companies to demonstrate that they are taking the appropriate steps to protect sensitive data resources. HITRUST helps organizations eliminate the risks of HIPAA noncompliance and is seen throughout the healthcare industry as the preferred method of achieving and demonstrating compliance.
What are HITRUST and HITRUST CSF?
HITRUST is a privately designed compliance framework put together by industry experts. The framework encompasses many of the controls defined in the HIPAA Security and Privacy Rules, as well as other regulatory bodies such as NIST, ISO, FISMA, and GDPR. The Common Security Framework (CSF) is the result of these efforts and enables organizations to streamline how they demonstrate data security and HIPAA compliance.
What is a HITRUST CSF self-assessment?
Performing a HITRUST CSF self-assessment involves the company seeking HITRUST certification to complete the myCSF tool. The tool is a cost-effective method for organizations to manage information risk and meet various types of privacy and security standards.
What are HITRUST requirements?
Four steps are required to achieve and maintain HITRUST certification. The steps are:
- Self-assessment of internal operations which is often performed with the assistance of a third-party assessor;
- Implementation of the HITRUST CSF;
- Certification from the HITRUST Alliance which lasts two years;
- Repeat the process to maintain certification.
Who is HITRUST CSF certified?
HITRUST certification has gained increased importance as healthcare providers are requiring business associates to complete the process. Business associates who desire to work with major U.S. healthcare organizations need to obtain HITRUST certification.
How Do I Get HITRUST certified?
HITRUST certification is obtained by completing a CSF, validating it with a CSF assessor, and having the CSF submission approved by the HITRUST Alliance. The first step is selecting a third-party CSF assessor to partner with. We recommend working with BEYOND LLC, a trusted HITRUST CSF assessor..
If you are HITRUST certified, does that mean you are HIPAA compliant?
No, it does not. You may obtain HITRUST certification and not be HIPAA compliant. The framework allows an organization to demonstrate they are taking steps to comply with HIPAA but the possibility exists that HITRUST may not cover every aspect of the HIPAA security rule. Additionally, HITRUST has never been formally endorsed by the Office for Civil Rights (OCR) which oversees the enforcement of HIPAA regulations.
If you want to learn more about why HITRUST certification is important, read our free info guideHITRUST Is High Priority For Your Business.