- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: HITRUST and HIPAA often go hand-in-hand when talking about security compliance. But what are they, and how do they compare? In this article, we’ll review HITRUST vs. HIPAA, including their differences, similarities, and advantages, and we’ll explain how and when to use them in compliance efforts.
What Are HITRUST and HIPAA?
Founded in 2007, the Health Information Trust Alliance (HITRUST) is a non-profit organization best known for developing the HITRUST Common Security Framework (CSF), in collaboration with healthcare, technology, and information security organizations.
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that sets standards for the security, privacy, and proper handling of protected health information (PHI) among covered entities and business associates (i.e., anyone who handles PHI directly or indirectly, including healthcare providers, insurance companies, healthcare clearinghouses, and third parties, such as the software companies that support those industries).
Here’s a quick breakdown.
Health Information Trust Alliance (HITRUST)
Data privacy and security are growing challenges for healthcare organizations and the third parties that work with them. While HIPAA has been around for years, implementing HIPAA standards with a robust and compliant security management program can be complex and confusing. When combined with other security regulations and requirements across industries and borders, HIPAA compliance suddenly becomes a minefield that is difficult and costly to navigate.
The HITRUST CSF aims to solve these challenges by simplifying compliance through a single, streamlined framework that harmonizes over 40 security standards, frameworks, and regulations. HITRUST’s framework provides prescriptive controls and requirements that organizations can use to prove compliance with HIPAA and other regulatory standards.
The HITRUST CSF is a certifiable security and privacy framework that organizes and integrates global standards into an efficient and flexible approach to regulatory compliance and risk management. Besides accommodating HIPAA, HITRUST harmonizes a wide range of other standards, including the International Information Security Standard (ISO), Payment Card Industry Data Security Standard (PCI-DSS), the National Institute of Standards and Technology (NIST 800-53), NIST Cybersecurity Framework, Control Objectives for Information and Related Technologies (COBIT), General Data Protection Regulation (GDPR), and more.
By following the HITRUST CSF and its corresponding HITRUST Assurance Program, organizations can demonstrate compliance with HIPAA and other common standards with greater reliability and transparency.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA’s requirements comprise three main rules:
- Privacy Rule: Sets national standards for how and when patients’ PHI may be used or disclosed
- Security Rule: Sets requirements for protecting patients’ electronic PHI (ePHI)
- Breach Notification Rule: Requires covered entities to notify affected individuals, the U.S. Department of Health and Human Services (HHS), and the media when a breach involving unsecured PHI occurs
HIPAA requires organizations to conduct annual self-audits to ensure compliance but does not outline a prescriptive roadmap for achieving it.
HITRUST vs. HIPAA: What’s the difference?
The main difference between HITRUST and HIPAA is that HITRUST is a global security and risk management framework, whereas HIPAA is a U.S. law that governs health industry standards for protecting patient health information.
Put simply, HIPAA details the rules for the security of PHI, while HITRUST outlines the flexible framework used to achieve and certify compliance with HIPAA and other regulatory standards. The two intersect to support mature and comprehensive security and privacy risk management, but they are distinct in their purpose, application, and authority.
Similarities Between HITRUST and HIPAA
Both HITRUST and HIPAA relate to the governance and management of security risks in the health industry. HIPAA sets the rules, and HITRUST outlines how to comply with them.
Originally tailored to the healthcare industry, HITRUST has since expanded its scope to include other international privacy frameworks, taking a more industry-agnostic approach. It remains a leading security framework for demonstrating HIPAA compliance.
HITRUST and HIPAA: Advantages and Disadvantages
HIPAA helped the healthcare industry transition from paper records to digital copies of health information, creating standard operating rules, unique identifiers, and code sets. This simplifies healthcare transactions and makes it easier for organizations to communicate with one another, increasing efficiency and saving valuable time and administration costs.
HIPAA compliance helps organizations protect PHI from mishandling and theft. This protects patients and leads to a stronger patient-centric culture.
HIPAA-compliant organizations are also better prepared to handle and mitigate outside attacks on their systems. By preventing data breaches (or identifying them faster), organizations can limit risk exposure, liability, and mitigation costs.
HIPAA rules comprise a collection of intersecting industry standards and regulations, including ISO, NIST, Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), and PCI-DSS. This makes HIPAA compliance complex—especially when mapping it across other intersecting regulatory requirements—and can make it difficult for organizations to identify gaps in their security controls.
Without a clear, unifying framework, organizations must do the heavy lifting of sifting through complex standards and building the controls and infrastructure to ensure compliance. This requires significant time and resources and still leaves organizations at risk for compliance gaps.
Lack of certification
While HIPAA lays out the rules, it does not prescribe how to achieve compliance or provide an official certification program. This makes it challenging to prove compliance and leaves organizations to decide on how to demonstrate it. Without a formal certification to show, organizations may struggle to limit liability during an audit and instill confidence in business associates.
Streamlined and comprehensive compliance
HITRUST synchronizes HIPAA and other standards into a unified framework that is easier to follow and implement. So instead of trying to assess individual compliance with different and competing regulations, companies can use the HITRUST framework to ensure a comprehensive risk management program.
Flexibility and scalability
Another big advantage is HITRUST’s flexibility. Organizations can scale HITRUST up or down to meet their individual needs, regardless of their size, security level, maturity, experience, or resources.
The gold standard of healthcare data security
HIPAA lacks a method to prove compliance, but HITRUST fills the gap as a trusted certifiable framework. This means HITRUST-certified organizations enjoy a competitive advantage over their uncertified peers.
High investment costs
Depending on the framework and assessment an organization chooses, implementing HITRUST and achieving certification may require significant resources. From hiring and training IT staff and adopting new security infrastructure to managing the program afterward, organizations need to invest the time and resources necessary for successful implementation.
Although HITRUST simplifies the compliance process, organizations still need to oversee the program to ensure it is implemented correctly. This requires systematic documentation, regular testing to identify gaps in controls, and the development of a robust security policy to govern the compliance process.
HITRUST or HIPAA? Which One Should You Choose?
When it comes to HITRUST and HIPAA, the question isn’t about choosing one or the other. Organizations that fall under HIPAA requirements must comply, but they have the flexibility to decide how to implement those standards in their own security programs. This is by design. The government outlines HIPAA to provide standards that can be applied flexibly based on each organization’s individual needs and structure.
That’s where HITRUST comes in.
HITRUST enables organizations to design, implement, assess, and manage their security compliance programs successfully based on HIPAA and other standards. As an official certifying body, HITRUST gives organizations and their industry partners confidence in their ability to meet compliance standards. This is not only important for maintaining a competitive advantage but also for avoiding costly HIPAA penalties due to non-compliance and any costs or damages from a resulting breach.
Ultimately, the real question is: what’s the best way to demonstrate HIPAA compliance?
While HITRUST is not the only way to do this, it is the top standard for HIPAA compliance and certification. More than 80% of US hospitals, 85% of US health insurers, and many other covered entities and business associates use HITRUST to support their HIPAA compliance initiatives.
HITRUST vs. HIPAA: Frequently Asked Questions
Does HITRUST replace HIPAA?
Short answer: no.
As a framework, HITRUST outlines a prescriptive path for organizations to follow, so they can successfully comply with HIPAA’s requirements. It does not impact the legislation or rules governing the industry. Instead, HITRUST helps organizations implement a HIPAA-compliant security program.
Does HITRUST include HIPAA?
Yes. HITRUST initially tailored its programs for the healthcare industry, and earlier iterations of the CSF included HIPAA controls by default. Today, organizations can choose which standards to include in the framework for their particular needs. But HITRUST remains a leading framework and certification program for the healthcare industry.
How StrongDM Can Help with HITRUST and HIPAA
Achieving HIPAA compliance and completing HITRUST certification is a big undertaking. StrongDM’s infrastructure access platform simplifies the process through reliable, automated access control, audit controls, and transmission security.
Through built-in monitoring and granular log collection, as well as automated least-privilege access, you can confidently ensure end-to-end compliance while providing transparency around your efforts for a streamlined audit process.
With StrongDM, you can make sure the right people have access to the right resources at the right time—every time. Use StrongDM to support your compliance and certification efforts today.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.