Datica Blog

November 11, 2019

HIPAA vs HITRUST

Grant Barrick

Former Vice President of Marketing

Healthcare is complex and can seem overwhelming, but it doesn't have to be. Whether you're an industry professional or not, it is commonly felt that more time is spent understanding the healthcare conundrum versus solving it. That's where Datica comes in. We have set out to investigate the underlying logic behind the astounding regulatory maze of this field and distill the information to those searching for it. Why spend your time mastering the problem when you could be discovering the innovative solutions?

What does HITRUST mean?

Many people fail to realize that the Health Information Trust Alliance, known simply as HITRUST, is not a framework at all, but an organization comprised of healthcare industry leaders who regard information security as a fundamental component to data systems and exchanges.

The HITRUST organization, in partner with other technology and information security leaders, created and maintains the Common Security Framework (CSF). HITRUST is not a new set of standards. The HITRUST CSF® is a system that helps organizations comply with HIPAA and other regulations such as PCI, NIST, and ICO through a detailed, yet flexible and efficient approach for regulatory and compliance management. The most widely used security framework in the U.S. healthcare industry today, the HITRUST CSF is continually updated and improved. An interim release of HITRUST CSF v9.1 will incorporate the EU General Data Protection Regulation (GDPR) and map the CSF's privacy and security requirements to the AICPA Trust Services Criteria for Privacy, according to the HITRUST Alliance.

What does HIPAA mean?

The Health Insurance Portability and Accountability Act (HIPAA) is United States legislative act that was signed into law in August, 1996. In 2013, HIPAA was expanded with the HIPAA Omnibus Rule to implement additional guidelines in accordance with the guidelines set forth in the HITECH Act. HIPAA outlines requirements for healthcare organizations and their business associates related to ensuring the security of sensitive patient data.

What is the HITRUST Common Security Framework?

The HITRUST CSF maps the CSF controls to specific HIPAA standards and specifications. Many specifications are mapped to multiple CSF controls. Each CSF control has multiple levels with varying requirements, so that organizations can implement the most relevant requirements for each control based on systems, organizational considerations, and regulatory risk factors.

Organizations wanting to comply with HITRUST have three options, known as Degrees of Assurance:

  • Self-Assessment: Companies can perform a self-assessment using the myCSF tool. This assessment helps to identify areas in compliance with HITRUST as well as areas for improvement.

  • CSF Validated: This is a step often taken after an organization has completed the self-assessment and implemented corrective actions to rectify any non-compliance issues identified. A third-party, HITRUST-approved CSF Assessor verifies the information gathered through the assessment with an onsite visit. HITRUST issues a Validated Report after reviewing the validated assessment.

  • CSF Certified: This Degree of Assurance requires the most time and effort. It's a step above CSF Validated, with HITRUST reviewing and certifying the organization's information and the CSF Assessor's validation, after which a HITRUST CSF Certification is granted for a period of two years.

What is the difference between HITRUST and HIPAA?

HITRUST and HIPAA are both two hot topics in healthcare but what is the difference?

  • HITRUST builds on HIPAA. It takes HIPAA, a non-standardized and non-prescriptive compliance framework, and creates a standardized compliance framework, assessment, and certification process for the healthcare industry.
  • HITRUST "harmonizes" HIPAA with other compliance frameworks such as PCI and NIST. HITRUST also adapts requirements for certification to the risks of an organization based on organizational, system, and regulatory factors.
  • As opposed to HIPAA, which has defined penalties for security breaches, the enforcement of HITRUST is dependent on the healthcare industry itself, typically covered entities like hospitals and payers, requiring HITRUST CSF Certification of vendors.
  • Having been through both HIPAA audits and a Certified CSF Assessment, it is safe to say that HITRUST CSF Certification is a much more rigorous process, with a higher burden of proof put on the organization trying to achieve certification, than a HIPAA audit.
  • Achieving HITRUST CSF Certification requires significantly more time, effort, and resources than a HIPAA audit. Being HITRUST CSF Certified should be seen as a more significant badge for security and compliance than completing a HIPAA audit.

HITRUST vs. HIPAA

HITRUST vs. HIPAA is not an either-or consideration. Because HIPAA is a set of standards, and the HITRUST CSF provides a prescriptive set of controls that meet the requirements of not only HIPAA, but other security standards such as PCI and NIST. As such, HITRUST is a valuable resource for risk management and compliance for organizations that handle sensitive data. Rather than a HITRUST vs. HIPAA scenario, the two go hand in hand.

It's not possible for healthcare organizations to become HIPAA-certified, as there is no official certification process or accreditation. An external audit is the best way to ensure HIPAA compliance. When partnering with third-party organizations, covered entities have business associates sign a Business Associate Agreement that's essentially a promise that they've implemented the right security controls to protect sensitive data. As a certifiable framework with controls mapped to every HIPAA standard and specification, HITRUST CSF certification provides a more reliable and consistent way for covered entities to ensure that their business associates are, in fact, compliant. Several major healthcare payors already require their business associates to comply with the HITRUST CSF. Certification adds a dose of confidence and a layer of trust.

Why is HITRUST important?

Why does HITRUST matter? Well, as healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state, and third-party security mandates has become a feat that can quickly consume an organization's resources. If that isn't enough, getting through all the twists, turns and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner.

With all considerations, isn't it obvious that the industry needs a system that is clear, standard, and secure? Thankfully, that's exactly what HITRUST has established in order to put the trust in data security.

HITRUST isn't easy, and it shouldn't be. The experience we've gained as a company and the extensive testing of our technology brings great value to our customers.

For more information on HITRUST, check out the Datica Academy or Datica Blog. Additional questions? Contact one of our experts today.

Learn more with Datica's definitive HITRUST guide. This comprehensive guide details the journey to HITRUST CSF Certification, explains why HITRUST matters, describes the structure of the HITRUST framework, details the associated costs of certification, and more.

Related Reading

Datica Achieves Top Marks from Chilmark Research