HITRUST vs. HIPAA: Which Is Right for My Organization?
When researching regulations and requirements in the healthcare industry, many organizations come across both HITRUST and HIPAA. As a result, they may ask themselves: “What are the differences between HITRUST vs HIPAA and which should I choose?”
It’s not an apples-to-apples comparison. Here’s why:
- HIPAA is a U.S. law that includes a set of safeguards that covered entities and business associates must follow to protect health information.
- HITRUST is a certifiable security and privacy framework with a list of prescriptive controls/requirements that can be used to demonstrate HIPAA compliance. HITRUST has also been mapped against over 40 other standards such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Federal Information Security Modernization Act (FISMA), PCI DSS, and ISO 27001) that could be added to the scope of the HITRUST certification.
Trying to determine if HITRUST or HIPAA is better for your organization is actually the wrong question. Instead, ask yourself, “What is the best method for demonstrating HIPAA compliance within my organization?”
Let’s look a little closer at HITRUST vs HIPAA and why you might choose the HITRUST CSF as a means to achieve HIPAA compliance.
What is HIPAA?
HIPAA is a U.S. federal statute signed into law by President Clinton in 1996. In addition to giving workers the ability to carry forward health insurance coverage between jobs, HIPAA defines requirements that covered entities (i.e., health plan providers, healthcare providers, and healthcare clearinghouses) and their business associates must follow to protect patient information.
These information security and privacy requirements are defined according to three rules:
- The HIPAA Privacy Rule: Sets national standards for when patients’ protected health information (PHI) may be used and disclosed.
- The HIPAA Security Rule: Outlines measures that covered entities and business associates must take to protect patients’ electronic protected health information (ePHI).
- The HIPAA Breach Notification Rule: Requires that covered entities notify affected individuals, the U.S. Department of Health and Human Services (HHS), and the media in the event of an information breach.
Important updates to HIPAA
Recently there have been several important updates related to HIPAA that are worth noting. One is the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act was signed into law on February 17, 2009 by President Obama. The HITECH Act encourages the use of electronic health records (EHR) by providing financial incentives for healthcare organizations that can prove they have implemented EHR. The HITECH Act also allows for more severe penalties to be levied against covered entities and their business associates for HIPAA noncompliance.
Another important update to HIPAA, the HIPAA Safe Harbor Bill, was signed into law on January 5, 2021 by President Trump. This law amends the HITECH Act so that the HHS and the Office of Civil Rights (OCR) must recognize and encourage security best practices for HIPAA compliance. Specifically, HIPAA Safe Harbor reduces financial penalties and the length of compliance inspections for covered entities and business associates that can prove they’ve had “recognized security practices” in place for at least one year.
How can an organization prove HIPAA compliance?
Though HIPAA requires organizations to conduct annual self-audits, it does not provide an official framework or methodology for verifying compliance with the law.
So how can an organization prove HIPAA compliance? There are two primary frameworks we recommend for organizations that handle PHI to maintain compliance with HIPAA regulations:
- A Systems and Organization Controls (SOC) 2 examination + HIPAA - This allows an organization to examine the necessary safeguards in order to validate HIPAA compliance. The organization going through the examination develops management’s controls to address the proper safeguards. A SOC 2+HIPAA examination can only be performed by a Certified Public Accounting (CPA) firm.
- HITRUST CSF - This is a comprehensive security and privacy framework that can be used to certify HIPAA compliance, as well as other standards and regulatory requirements. Unlike SOC 2, the HITRUST CSF necessitates the prescriptive controls that must be in place to achieve HIPAA compliance based on the organization’s risk factors. In addition, the HITRUST CSF certification is the only official certification that proves HIPAA compliance.
What is HITRUST and HITRUST CSF?
HITRUST was founded in 2007 to help healthcare organizations better manage information security systems and protect their data. HITRUST is perhaps most well known for developing the HITRUST CSF, described above, which is used by thousands of organizations around the world to efficiently manage regulatory compliance and risk management.
The HITRUST CSF was originally tailored for the health industry, but with the release of CSF 9.2 in January of 2019, it transitioned to better align with other existing international privacy frameworks by adopting a more industry-agnostic approach. Prior to 2019, every HITRUST CSF examination included HIPAA compliance by default, but now it is an optional regulatory factor that must be selected as part of an assessment.
Regardless, HITRUST CSF remains one of the premier security frameworks used to demonstrate HIPAA compliance. HITRUST has even released official documentation demonstrating that the HITRUST CSF meets all the requirements outlined in the HIPAA Safe Harbor Law.
The HITRUST CSF “assess once, report many” approach also allows organizations to choose the frameworks and controls they want to initially be tested against and add more in the future if they choose.
Why choose HITRUST for HIPAA compliance?
When not contractually obligated to use the HITRUST CSF, some organizations opt for SOC 2+HIPAA or a self-assessment because of the higher cost and somewhat significant time and resource requirements of HITRUST CSF.
However, there are benefits to leaning on HITRUST CSF for HIPAA compliance. Because of its strict and prescriptive nature, the HITRUST CSF has established itself as a gold standard for organizations to demonstrate they have the necessary controls in place for data protection.
Additionally, leveraging HITRUST CSF includes other benefits, such as:
- Extended duration: Organizations have a two-year certification with the HITRUST CSF, compared to SOC 2 validation which requires annual completion.
- Social proof: The HITRUST CSF has developed a widespread positive reputation for compliance.
- Options to easily adopt additional regulatory standards due to the fact that it is comprehensive, scalable and flexible: The HITRUST CSF has mapped controls to more than 40 standards across various industries worldwide and, with a dedicated research team that is specifically tasked with mapping security frameworks, can quickly get up to speed on any new laws and regulations.
As a growing number of privacy laws continue to roll out internationally, HITRUST CSF will likely continue to expand and map to new legislation. In fact, the HITRUST research team mapped the General Data Protection Regulation (GDPR) within six months, and HITRUST has applied to become the premier certification body for GDPR. This is also why organizations in industries such as travel and hospitality, utilities, energy, etc., are adopting HITRUST.
HITRUST vs. HIPAA: Asking the right question
As mentioned before, asking if the HITRUST CSF or HIPAA is better for your organization isn’t the right question. The more appropriate question is, “What is the best option for demonstrating HIPAA compliance within my organization?”
HITRUST CSF is one reliable way to achieve HIPAA compliance. In fact, it is the only way to become officially certified in HIPAA compliance. For this reason, the HITRUST CSF is often utilized and sometimes required by organizations in the healthcare industry.
If you’re preparing your organization to be HIPAA compliant, HITRUST CSF certification may be a valuable investment.